Re: [FUG-BR] [INFOSEG] FreeBSD Security Advisory FreeBSD-SA-08:06.bind

[Tiago H.Pires]

Boa tarde!

Uma pergunta referente a essa atualização do bind. Eu atualizei via
fonte em um server com freebsd 6.2, e o mesmo com named -v me informa
que a versão atual do bind é a 9.3.5. Em um outro server com freebsd 6.3
atualizei também via fontes e com named -v me informa que a versão atual
é a 9.3.5. 
O server com freebsd 6.2 vou dar um upgrade nele para 6.3, mas a
pergunta é :

No site do ISC fala que para versões 9.3.* a versão 9.3.5-P1 é a
solução, mas não sei se era para aparecer 9.3.5-P1 quando desse o named
-v.
Em um server freebsd 6.3 atualizei via patch de acordo com o Aviso de
segurança do site oficial e com named -v, tmb aparece 9.3.5.

Como está aparecendo a versão depois de instalado a correção para vcs ?

att

Tiago



Em Seg, 2008-07-14 às 08:55 -0300, Welkson Renny de Medeiros escreveu:
> Welkson

-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

[FUG-BR] [INFOSEG] FreeBSD Security Advisory FreeBSD-SA-08:06.bind

[Welkson Renny de Medeiros]

Para informação...

Welkson

- Original Message - 
From: "Alexander Pereira Girald" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 13, 2008 7:24 PM
Subject: [INFOSEG] FreeBSD Security Advisory FreeBSD-SA-08:06.bind


> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> =
> FreeBSD-SA-08:06.bind   Security 
> Advisory
>   The FreeBSD 
> Project
>
> Topic:  DNS cache poisoning
>
> Category:   contrib
> Module: bind
> Announced:  2008-07-13
> Credits:Dan Kaminsky
> Affects:All supported FreeBSD versions.
> Corrected:  2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
> 2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
> 2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
> 2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
> CVE Name:   CVE-2008-1447
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit http://security.FreeBSD.org/>.
>
> I.   Background
>
> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> The named(8) daemon is an Internet Domain Name Server.  DNS requests
> contain a query id which is used to match a DNS request with the response
> and to make it harder for anybody but the DNS server which received the
> request to send a valid response.
>
> II.  Problem Description
>
> The BIND DNS implementation does not randomize the UDP source port when
> doing remote queries, and the query id alone does not provide adequate
> randomization.
>
> III. Impact
>
> The lack of source port randomization reduces the amount of data the
> attacker needs to guess in order to successfully execute a DNS cache
> poisoning attack.  This allows the attacker to influence or control
> the results of DNS queries being returned to users from target systems.
>
> IV.  Workaround
>
> Limiting the group of machines that can do recursive queries on the DNS
> server will make it more difficult, but not impossible, for this
> vulnerability to be exploited.
>
> To limit the machines able to perform recursive queries, add an ACL in
> named.conf and limit recursion like the following:
>
> acl example-acl {
>192.0.2.0/24;
> };
>
> options {
> recursion yes;
> allow-recursion { example-acl; };
> };
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the
> RELENG_7_0 or RELENG_6_3 security branch dated after the correction
> date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3 and
> 7.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 6.3]
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch.asc
>
> [FreeBSD 7.0]
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/bind
> # make obj && make depend && make && make install
> # cd /usr/src/usr.sbin/named
> # make obj && make depend && make && make install
>
> NOTE WELL: This update causes BIND to choose a new, random UDP port for
> each new query; this may cause problems for some network configurations,
> particularly if firewall(s) block incoming UDP packets on particular
> ports.  The avoid-v4-udp-ports and avoid-v6-udp-ports options should be
> used to avoid selecting random port numbers within a blocked range.
>
> NOTE WELL: If a port number is specified via the query-source or
> query-source-v6 options to BIND, randomized port selection will not be
> used.  Consequently it is strongly recommended that these options not
> be used to specify fixed port numbers.
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch   Revision
>   Path
> - -
> RELENG_6
>   src/contrib/bind9/bin/named/client.c1.1.1.2.2.5
>   src/contrib/bind9/bin/named/server.c1.1.1.2.2.4
>   src/contrib/bind9/lib/dns/api   1.1.1.2.2.5
>   src/contrib/bind9/lib/dns/dispatch.c1.1.1.1.4.4
>   src/contrib/bind9/lib/dns/include/dns/dispatch.h1.1.1.1.4.3
>   src/contrib/bind9/lib/dns/resolver.c1.1.1.2.2.8
> RELENG_6_3
>   src/UPDATING