<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2006.029] OpenPKG Security Advisory (bind)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                                   OpenPKG GmbH
http://openpkg.org/security/                          http://openpkg.com
OpenPKG-SA-2006.029                                           2006-11-04
________________________________________________________________________

Package:          bind
Vulnerability:    signature verification failure
OpenPKG Specific: no

Affected Series:  Affected Packages:       Corrected Packages:
E1.0-SOLID        <= bind-9.3.2-E1.0.0     >= bind-9.3.2-E1.0.1
2-STABLE-20061018 <= bind-9.3.2-2.20061018 >= bind-9.3.2p2-2.20061104
2-STABLE          <= bind-9.3.2-2.20061018 >= bind-9.3.2p2-2.20061104
CURRENT           <= bind-9.3.2-20061013   >= bind-9.3.2p2-20061104

Description:
  According to a vendor security advisory [0], the DNS server BIND [1]
  (versions up to and including 9.3.2-P1) is vulnerable to the recently
  discovered OpenSSL RSA signature verification problem for which the
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CVE-2006-4339 [2].
  
  BIND uses RSA cryptography as part of its DNSSEC implementation. To
  resolve the security issue, upgrade to the corrected OpenPKG packages
  and for both your KEY and DNSKEY resource record types, generate new
  RSASHA1 and RSAMD5 keys using the "-e" option to dnssec-keygen(8) if
  the current keys were generated using the default exponent of 3. You
  can determine if your keys are vulnerable by looking at the algorithm
  (1 or 5) and the first three characters of the Base64 encoded RSA key.
  RSASHA1 (5) and RSAMD5 (1) keys that start with "AQM", "AQN", "AQO" or
  "AQP" are vulnerable.
________________________________________________________________________

References:
  [0] http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445 
  [1] http://www.isc.org/sw/bind/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFFTIxWgHWT4GPEy58RAlu0AKCMSPyWef3lN4DkDeG3ozE/6GJR2ACg349w
9CPsNmqxAi/7ctIdIFnuASY=
=WU4O
-----END PGP SIGNATURE-----