Alan Hargreaves' Blog

The ramblings of a former Australian SaND TSC* Principal Field Technologist

Interim fixes for Bind Vulnerability VU#725188/CVE-2009-0696 (Updated)

Yesterday I noticed an article titled New DoS Vulnerability in All versions of BIND 9 on slashdot. The article refers to BIND Dynamic Update DoS at the ISC site describing Vulnerability Note VU#725188 – ISC BIND 9 vulnerable to denial of service via dynamic update request.

This very rapidly caused a stir on a few internal mailing lists that I’m on and work on addressing this as

6865903 Updated, P1 network/dns CVE-2009-0696 BIND dynamic update problem

The current status of this within Sun is that the Interim Security Reliefs (ISR) are available from http://sunsolve.sun.com/tpatches for the following releases:

SPARC Platform

  • Solaris 10 IDR142522-01
  • Solaris 9 IDR142524-01

x86 Platform:

  • Solaris 10 IDR142523-01
  • Solaris 9 IDR142525-01

Sun Alert 264828 is on its way to be published. When published it will
be available from: http://sunsolve.sun.com/search/document.do?assetkey=1-66-264828-1

The fix is planned for build 121 for OpenSolaris/Nevada and we’re attempting to get it into the next possible release Support Repository Update (SRU3).

Update 1

It turns out that the Solaris 9 ISR patches rely on an unreleased patch for Solaris 9. Work is underway to get this dependency out quickly,

Advertisements

Written by Alan

July 29, 2009 at 3:37 pm

Posted in Solaris

4 Responses

Subscribe to comments with RSS.

  1. Found it useful…
    Thanks Alan

    Anshumali Sharma

    July 29, 2009 at 8:06 pm

  2. Where is the link to the 2009.06 SRU page? The one off of sunsolve goes to 2008.11:
    http://sunsolve.sun.com/show.do?target=opensolaris

    Anil

    July 29, 2009 at 9:46 pm

  3. @Anshumali, that’s why I post stuff like this.
    @Anil, Unfortunately they are not up yet. I noticed an action pushing to fix this in email this week.

    Alan Hargreaves

    July 29, 2009 at 10:07 pm

  4. We just worked around the clock to get ISC BIND 9.6.1-P1 Released as well as BIND 9.4.3-P3 in the stable tree. The software is seen to install smoothly and the named daemon is running as expected.
    Users are expected to understand the fundamentals of ISC BIND operation and minimal README files are included with these software packages. A sample 256-bit rndc ( algorithm hmac-md5 ) key is provided in the package and the installation process will look for a pre-existed rndc key in the /etc/opt/csw area. If none is found then the sample key will be installed. See http://www.blastwave.org/

    Dennis Clarke

    July 31, 2009 at 3:19 am


Comments are closed.

%d bloggers like this: