[Outlook and Notes users -- please ask your system administrators to
assist you in creating out-of-office-autoreplies that respect public
mail lists; perhaps, creating such a reply that works only within the
organization or business partners.]
[Virus scanner administrators -- sending virus warnings to a From: or
From_ header is a waste of time. Please configure your scanners to drop
mail in the SMTP protocol, and not bounce the email after the fact.
Thanks.]
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: bind
Affected products: Immunix OS 7+
Bugs fixed: VU#734644 CAN-2003-0914
Date: Mon Oct 27 2003
Advisory ID: IMNX-2003-7+-024-01
Author: Seth Arnold <sarnold@xxxxxxxxxxx>
-----------------------------------------------------------------------
Description:
A vulnerability has been found in BIND that ".. allows an attacker to
conduct cache poisoning attacks on vulnerable name servers by
convincing the servers to retain invalid negative responses."
Our bind-8.2.3-3.3_imnx_5 packages fix this problem using a patch
derived from the BIND 8.3.7 release. This vulnerability has been named
CAN-2003-0914 by the CVE project.
We'd like to apologize to our US subscribers for the incredibly poor
timing, to release this notice a day before the Thanksgiving holiday.
Our options were limited by ISC, the package maintainer.
References: http://www.kb.cert.org/vuls/id/734644
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0914
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm
A source package for Immunix 7+ is available at:
http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm
Immunix OS 7+ md5sums:
8a5874f96e1c76b11c214ab16e1183f4 RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm
83535ea7a69ab222ccf5c8664bfd66b9 RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm
7669fedc653731bf54cc0dd48b258a8f RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm
445c908f0c4daffe0a153bc7e5514a85 SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm
GPG verification:
Our public keys are available at http://download.immunix.org/GPG_KEY
Immunix, Inc., has changed policy with GPG keys. We maintain several
keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
Immunix 7.3 package signing, and 1B7456DA for general security issues.
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@xxxxxxxxxxxx
Immunix attempts to conform to the RFP vulnerability disclosure protocol
http://www.wiretrip.net/rfp/policy.html.
Attachment:
pgp6JAACiP98U.pgp
Description: PGP signature