RE:
Hi how are you ? Just received my iphone4 32gb and Ipad from this website?http://www.arbcq.com/ . much cheaper than others and genuine . if you would like to get one,you can check it out, all the best for 2010 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Update to CVE 2010-3613
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ISC has updated CVE 2010-3613 and the associated operational guidance based on feedback from one of our forum members. The update changes affected versions to include versions of BIND 9 back to 9.0.x. Please review carefully and respond appropriately if you are running an affected version. Best Regards, Larissa Larissa Shapiro ISC Product Manager - -- Updated CVE: BIND: cache incorrectly allows a ncache entry and a rrsig for the same type Summary: Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named. CVE: CVE-2010-3613 CERT: VU#706148 Posting date: 01 Dec 2010 Revision: 14 December 2010 Program Impacted: BIND Versions affected: 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2 Severity: High Exploitable: remotely Description: Adding certain types of negative signed responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (INSIST). CVSS Base Score: 7.8 - (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more on CVSS scores and to calculate your environment's specific risk, please visit: http://nvd.nist.gov/cvss.cfm?version=2vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Impact and Risk Assessment: The INSIST crashes the server. This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled. Workarounds: none Active exploits: None known at this time. Solution: The versions listed below are supported by ISC. All other versions are End of Life, and will not be patched. If you are running a version not listed below, you should upgrade as soon as possible. 9.4.x: upgrade to 9.4-ESV-R4, or newer 9.6.x: upgrade to 9.6.2-P3 or newer 9.6-ESV: upgrade to 9.6-ESV-R3 or newer 9.7.x: upgrade to 9.7.2-P3 Acknowledgment: Shinichi Furuso Revision History: 24 November 2010: Corrected/Updated: Versions affected, CVSS Score, Impact, Risk Assessment and Solution 14 December 2010: Updated Versions Affected, Solution and Acknowledgment For more information please contact bind9-b...@isc.org - --- Updated Guidance Text: CVE: CVE-2010-3613 CERT: VU#706148 BIND: cache incorrectly allows a ncache entry and a rrsig for the same type Although the defect is very unlikely to be encountered in normal operation, if your recursive resolver is being used to query public Internet zones and you cannot readily restrict your client queries then there is the potential for a remote attacker to cause your nameserver to crash. Note particularly that disabling DNSSEC validation is NOT an effective workaround. * We recommend that you plan to upgrade immediately if ALL of the following apply to your BIND installation: a) You are operating a recursive server which obtains answers from public Internet zones. b) You are running any version of BIND 9 including or prior to: 9.6.2 - 9.6.2-P2, 9.4-ESV - 9.6-ESV-R2, 9.7.0 - 9.7.2-P2 c) The DNS clients accessing your resolver constitute a large pool and are not under you control or you can not limit access only to machines with full trust. * We suggest that you put this upgrade in your plans for 2011 if you are not operating recursive DNS servers. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNB5RCAAoJEBOIp87tasiUZcMH/jFqkwCA1QBj8utQ13690aIF VIGZfDAriYyFx/nUxu0B67ZbTKcjWxbPr1MBlPKh911Hy7ZmPRYAsu3YWPFLsUTd +zzoKI7u3T8jrSp9TdgKdjzJPJIhOTABJoUNoZaJIjVM3VhUN0ha/RupGDXNz8tB J7nv0q8AiTOZlWFOGP8LzLxCI7SQxevmNBmaeOVbvrNJt8Bla4MMQhJss01qxmBa aq5FXPFZ9BQKHIZacspbeVrKjtOW1nU0FVZHBUwVK3CbnYGTAW9vVvVo3qBcb5vT h0rRHoa5R8QQfG4mVHmreZIBdpRs/3BtXUAGhnN0a3KVR2QQl7wOFDkXSYhKi64= =WvDz -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
vulnerability of bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hello bind network I just realized that my version of bind and vulnerable and I'm wondering if by upgrading to version 9.5.2-P4 I would always be vulnerable i use centos 5.5 and use http://www.pramberger.at/peter/services/repository/rhel5/ deposit thanks - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNB7dLtXI/OwkhZKcRAhA7AJ9P5y0Lp5KpX3rNmas4rEnNX33FMwCfdQUq Bg9aAabFVLPFYYk8zLeTLUE= =jhLX -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: vulnerability of bind
A question like this comes along avery few weeks Just download the latest bind source from: http://www.isc.org/software/bind , configure, make, make test, install. This is my cheat sheet (I do this every few months on ~10 servers -- I keep meaning to set up a puppet / similar script to take care of this for me, but never seem to manage to collect enough toits): - == Get source == ftp://ftp.isc.org/isc/bind9/ Unzip / untar source. cd /usr/local/src/bind sudo wget ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz Now get and validate the GPG signature. sudo wget ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz.sha256.asc gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind-9.7.2-P3.tar.gz Assuming all is good: sudo tar -xvzf bind-9.7.2-P3.tar.gz sudo rm bind-9.7.2-P3.tar.gz.* sudo chown -R wkumari.wkumari bind-9.7.2-P3/ cd bind-9.7.2-P3/ Make sure you have the required dependencies sudo apt-get install openssl libssl-dev gcc And now build ./configure --with-openssl=yes --with-randomdev=/dev/urandom make And lets run some tests: make test Check and install the new version: named -v which named make install named -v Restart bind: sudo /etc/init.d/bind9 stop sudo /etc/init.d/bind9 start dig www.kumari.net +dnssec @localhost Obviously, replace the versions with something sane, and the user / check domain with something else... Oh, also tell your package manager that you no longer want it to do, well, whatever it thinks it is doing... W On Dec 14, 2010, at 1:28 PM, fakessh @ wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hello bind network I just realized that my version of bind and vulnerable and I'm wondering if by upgrading to version 9.5.2-P4 I would always be vulnerable i use centos 5.5 and use http://www.pramberger.at/peter/services/repository/rhel5/ deposit thanks - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNB7dLtXI/OwkhZKcRAhA7AJ9P5y0Lp5KpX3rNmas4rEnNX33FMwCfdQUq Bg9aAabFVLPFYYk8zLeTLUE= =jhLX -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: vulnerability of bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 14.12.2010 19:28, fakessh @ a écrit : hello bind network I just realized that my version of bind and vulnerable and I'm wondering if by upgrading to version 9.5.2-P4 I would always be vulnerable i use centos 5.5 and use http://www.pramberger.at/peter/services/repository/rhel5/ deposit thanks I finally just made the upgrade to bind-9.7.0-5.P2.el5.i386.rpm packages is available on the http://people.redhat.com/atkac/ and I wonder if this package is also vulnerable wait the arrival of centos 5.6 for package bind well to have updated and which supports dnssec thanks -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNB8LRtXI/OwkhZKcRAshPAJkBdZbA3r6sLea/JHYV8kQnqDS+YQCeMp6Y gudIRWH7EOMB31gbK/cKp9A= =Zl9n -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users