Alan Hargreaves' Weblog

The ramblings of an Australian SaND TSC* Principal Field Technologist

* Solaris and Network Domain Technology Support Centre - The group I work for

Tags

(update 1) acoustic bind birthday blues bugs cec cec2007 cec2008 china cmt contention cringley debugging dogs dtrace earthquake encumbered-binaries extra flash funny google guitar halloween huron install kids linux liveupgrade locking mdb music mysql newyear niagra openjava opensolaris oracle patches patents percussion performance redhat secondlife security solaris sru sun support sxcr t2 t2000 timeslider ufs upgrade virtualbox windows youtube zfs
« Live Upgrade and... | Main | Jamm For Genes in... »
pageicon Thursday Jul 30, 2009

Interim fixes for Bind Vulnerability VU#725188/CVE-2009-0696 (Updated)

Yesterday I noticed an article titled New DoS Vulnerability in All versions of BIND 9 on slashdot. The article refers to BIND Dynamic Update DoS at the ISC site describing Vulnerability Note VU#725188 - ISC BIND 9 vulnerable to denial of service via dynamic update request.

This very rapidly caused a stir on a few internal mailing lists that I'm on and work on addressing this as

        6865903 Updated, P1 network/dns CVE-2009-0696 BIND dynamic update problem

The current status of this within Sun is that the Interim Security Reliefs (ISR) are available from http://sunsolve.sun.com/tpatches for the following releases:

SPARC Platform

  • Solaris 10 IDR142522-01
  • Solaris 9 IDR142524-01

x86 Platform:

  • Solaris 10 IDR142523-01
  • Solaris 9 IDR142525-01

Sun Alert 264828 is on its way to be published. When published it will be available from: http://sunsolve.sun.com/search/document.do?assetkey=1-66-264828-1

The fix is planned for build 121 for OpenSolaris/Nevada and we're attempting to get it into the next possible release Support Repository Update (SRU3).

Update 1

It turns out that the Solaris 9 ISR patches rely on an unreleased patch for Solaris 9. Work is underway to get this dependency out quickly,

Posted at 08:37AM Jul 30, 2009 by Alan Hargreaves in Solaris  |  Comments[4]

Comments:

Found it useful...
Thanks Alan

Posted by Anshumali Sharma on July 30, 2009 at 01:06 PM EST #

Where is the link to the 2009.06 SRU page? The one off of sunsolve goes to 2008.11:

http://sunsolve.sun.com/show.do?target=opensolaris

Posted by Anil on July 30, 2009 at 02:46 PM EST #

@Anshumali, that's why I post stuff like this.

@Anil, Unfortunately they are not up yet. I noticed an action pushing to fix this in email this week.

Posted by Alan Hargreaves on July 30, 2009 at 03:07 PM EST #

We just worked around the clock to get ISC BIND 9.6.1-P1 Released as well as BIND 9.4.3-P3 in the stable tree. The software is seen to install smoothly and the named daemon is running as expected.
Users are expected to understand the fundamentals of ISC BIND operation and minimal README files are included with these software packages. A sample 256-bit rndc ( algorithm hmac-md5 ) key is provided in the package and the installation process will look for a pre-existed rndc key in the /etc/opt/csw area. If none is found then the sample key will be installed. See http://www.blastwave.org/

Posted by Dennis Clarke on July 31, 2009 at 08:19 PM EST #

Post a Comment:
Comments are closed for this entry.