[CVS] OpenPKG: openpkg-web/security OpenPKG-SA-2002.011-bind8.txt

[Michael Schloh]

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Michael Schloh
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   15-Nov-2002 13:08:25
  Branch: HEAD                             Handle: 2002111512082500

  Added files:
    openpkg-web/security    OpenPKG-SA-2002.011-bind8.txt

  Log:
    Added security advisory to accompany new BIND 8 packages.

  Summary:
    Revision    Changes     Path
    1.1         +85 -0      openpkg-web/security/OpenPKG-SA-2002.011-bind8.txt
  ____________________________________________________________________________

  Index: openpkg-web/security/OpenPKG-SA-2002.011-bind8.txt
  ============================================================
  $ cvs update -p -r1.1 OpenPKG-SA-2002.011-bind8.txt
  ________________________________________________________________________
  
  OpenPKG Security Advisory                            The OpenPKG Project
  http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  OpenPKG-SA-2002.011                                          15-Nov-2002
  ________________________________________________________________________
  
  Package:             bind8
  Vulnerability:       denial of service, arbitrary code execution
  OpenPKG Specific:    no
  
  Dependent Packages:  none
  Affected Releases:   Affected Packages:     Corrected Packages:
  OpenPKG 1.0          <= bind-8.2.6-1.0.1    >= bind-8.2.6-1.0.2
  OpenPKG 1.1          <= bind8-8.3.3-1.1.0   >= bind8-8.3.3-1.1.1
  OpenPKG CURRENT      <= bind8-8.3.3-2002082 >= bind8-8.3.3-20021114
  
  Description:
    The Internet Software Consortium (ISC) [1] has discovered or has been
    notified of several bugs which can result in vulnerabilities of varying
    levels of severity in BIND [2]. These problems include buffer overflows,
    stack revealing, divide by zero, null pointer dereferencing, and more [3].
    A subset of these vulnerabilities exist in the BIND packages distributed by
    OpenPKG.
  
    Please check whether you are affected by running "<prefix>/bin/rpm -qa |
    grep bind". If you have an affected version of the "bind" or "bind8" package
    (see above), upgrade it according to the solution below.
  
  Workaround:
    Because disabling recursion or disabling DNSSEC is a workaround to only a
    subset of the aforementioned problems, it is not a recommended aproach.
  
  Solution:
    Since these vulnerabilities do not exist in BIND version 9.2.1, one solution
    simply involves upgrading to it. The packages bind-9.2.1-1.1.0 in OpenPKG
    release 1.1 [4], and bind-9.2.1-20021111 in OpenPKG current [5] are both
    candidates in this respect. Be warned that although such later versions of
    BIND are stable, there exist large differences between BIND 8 and BIND 9
    software.
  
    A lighter approach involves updating existing packages to newly patched
    versions of BIND 8. Select the updated source RPM appropriate
    for your OpenPKG release [6][7][8], and fetch it from the OpenPKG FTP service
    or a mirror location. Verify its integrity [9], build a corresponding
    binary RPM from it and update your OpenPKG installation by applying the
    binary RPM [10]. For the latest OpenPKG 1.1 release, perform the following
    operations to permanently fix the security problem (for other releases
    adjust accordingly).
  
    $ ftp ftp.openpkg.org
    ftp> bin
    ftp> cd release/1.1/UPD
    ftp> get bind8-8.3.3-1.1.1.src.rpm
    ftp> bye
    $ <prefix>/bin/rpm -v --checksig bind8-8.3.3-1.1.1.src.rpm
    $ <prefix>/bin/rpm --rebuild bind8-8.3.3-1.1.1.src.rpm
    $ su -
    # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/bind8-8.3.3-1.1.1.*.rpm
    # <prefix>/etc/rc bind8 stop start
  ________________________________________________________________________
  
  References:
    [1]  http://www.isc.org/
    [2]  http://www.isc.org/products/BIND/
    [3]  http://www.isc.org/products/BIND/bind-security.html
    [4]  ftp://ftp.openpkg.org/release/1.1/SRC/bind-9.2.1-1.1.0.src.rpm
    [5]  ftp://ftp.openpkg.org/current/SRC/bind-9.2.1-20021111.src.rpm
    [6]  ftp://ftp.openpkg.org/release/1.0/UPD/bind-8.2.6-1.0.2.src.rpm
    [7]  ftp://ftp.openpkg.org/release/1.1/UPD/bind8-8.3.3-1.1.1.src.rpm
    [8]  ftp://ftp.openpkg.org/current/SRC/bind8-8.3.3-20021114.src.rpm
    [9]  http://www.openpkg.org/security.html#signature
    [10] http://www.openpkg.org/tutorial.html#regular-source
  ________________________________________________________________________
  
  For security reasons, this advisory was digitally signed with
  the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F)
  of the OpenPKG project which you can find under the official URL
  http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
  check the integrity of this advisory, verify its digital signature by
  using GnuPG (http://www.gnupg.org/). For example, pipe this message to
  the command "gpg --verify --keyserver keyserver.pgp.com".
  ________________________________________________________________________
  
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]