Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 1604-1] BIND 8 deprecation notice
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 08 Jul 2008 19:03:55 +0200

Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1604-1                  security () debian org
http://www.debian.org/security/                           Florian Weimer
July 08, 2008                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : bind
Vulnerability  : DNS cache poisoning
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-1447
CERT advisory  : VU#800113

Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks.  Among other things,
successful attacks can lead to misdirected web traffic and email

The BIND 8 legacy code base could not be updated to include the
recommended countermeasure (source port randomization, see DSA-1603-1
for details).  There are two ways to deal with this situation:

1. Upgrade to BIND 9 (or another implementation with source port
randomization).  The documentation included with BIND 9 contains a
migration guide.

2. Configure the BIND 8 resolver to forward queries to a BIND 9
resolver.  Provided that the network between both resolvers is trusted,
this protects the BIND 8 resolver from cache poisoning attacks (to the
same degree that the BIND 9 resolver is protected).

This problem does not apply to BIND 8 when used exclusively as an
authoritative DNS server.  It is theoretically possible to safely use
BIND 8 in this way, but updating to BIND 9 is strongly recommended.
BIND 8 (that is, the bind package) will be removed from the etch
distribution in a future point release.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Version: GnuPG v1.4.6 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 1604-1] BIND 8 deprecation notice Florian Weimer (Jul 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]