ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory
FreeBSD-SA-10:01.bind
Uehata Keiji
uehata at firstserver.co.jp
Thu Jan 7 08:35:47 UTC 2010
お疲れ様です。上畑@技術Gです。
Yライト、おとくフリーセルは
dnssec-enable no;で全て統一設定されていた為、問題ありません。
また
9.3.0からは記述がない場合でもdnssec-enable noがデフォルト値となっている
ようです。
以上よろしくお願いします。
---------------------------------------
ファーストサーバ株式会社
運用技術部 技術グループ
上畑 圭史 <Keiji Uehata>
e-mail:uehata at firstserver.co.jp
TEL :050-3160-0763 / 06-6261-3332(代表)
FAX :06-6125-1733
URL :http://www.fsv.jp/
http://www.firstserver.co.jp/
住所:〒541-0052
大阪市中央区安土町1丁目8番15号 野村不動産大阪ビル3F
---------------------------------------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-10:01.bind Security Advisory
> The FreeBSD Project
>
> Topic: BIND named(8) cache poisoning with DNSSEC validation
>
> Category: contrib
> Module: bind
> Announced: 2010-01-06
> Credits: Michael Sinatra
> Affects: All supported versions of FreeBSD.
> Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
> 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
> 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
> 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
> 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
> CVE Name: CVE-2009-4022
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> The named(8) daemon is an Internet Domain Name Server.
>
> DNS Security Extensions (DNSSEC) provides data integrity, origin
> authentication and authenticated denial of existence to resolvers.
>
> II. Problem Description
>
> If a client requests DNSSEC records with the Checking Disabled (CD) flag
> set, BIND may cache the unvalidated responses. These responses may later
> be returned to another client that has not set the CD flag.
>
> III. Impact
>
> If a client can send such queries to a server, it can exploit this
> problem to mount a cache poisoning attack, seeding the cache with
> unvalidated information.
>
> IV. Workaround
>
> Disabling DNSSEC validation will prevent BIND from caching unvalidated
> records, but also prevent DNSSEC authentication of records. Systems not
> using DNSSEC validation are not affected.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
> or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
> RELENG_6_3 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3, 6.4,
> 7.1, 7.2, and 8.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 6.3]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc
>
> [FreeBSD 6.4]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc
>
> [FreeBSD 7.1]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc
>
> [FreeBSD 7.2]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc
>
> [FreeBSD 8.0]
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/bind
> # make obj && make depend && make && make install
> # cd /usr/src/usr.sbin/named
> # make obj && make depend && make && make install
> # /etc/rc.d/named restart
>
> NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get
> a more recent BIND version with more complete DNSSEC support. This
> can be done either by upgrading to FreeBSD 7.x or later, or installing
> BIND for the FreeBSD Ports Collection.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_6
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3
> src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6
> src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7
> RELENG_6_4
> src/UPDATING 1.416.2.40.2.13
> src/sys/conf/newvers.sh 1.69.2.18.2.15
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.9.2.1
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.4.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.4.2.1
> src/contrib/bind9/bin/named/query.c 1.1.1.1.4.5.2.1
> RELENG_6_3
> src/UPDATING 1.416.2.37.2.20
> src/sys/conf/newvers.sh 1.69.2.15.2.19
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.2.2.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.2.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.2
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.2.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3.2.1
> src/contrib/bind9/bin/named/query.c 1.1.1.1.4.4.2.1
> RELENG_7
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.4
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.2.2
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.6
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.3
> src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.5
> src/contrib/bind9/bin/named/query.c 1.1.1.6.2.4
> RELENG_7_2
> src/UPDATING 1.507.2.23.2.9
> src/sys/conf/newvers.sh 1.72.2.11.2.10
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2.2.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.8.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4.2.1
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1.2.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.3.2.1
> src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2.2.1
> RELENG_7_1
> src/UPDATING 1.507.2.13.2.13
> src/sys/conf/newvers.sh 1.72.2.9.2.14
> src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.1.4.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.6.1
> src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.3.2.1
> src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.6.1
> src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.1.4.1
> src/contrib/bind9/bin/named/query.c 1.1.1.6.2.1.4.1
> RELENG_8
> src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.2
> src/contrib/bind9/lib/dns/include/dns/types.h 1.2.2.2
> src/contrib/bind9/lib/dns/resolver.c 1.6.2.2
> src/contrib/bind9/lib/dns/masterdump.c 1.3.2.2
> src/contrib/bind9/lib/dns/validator.c 1.4.2.2
> src/contrib/bind9/bin/named/query.c 1.3.2.2
> RELENG_8_0
> src/UPDATING 1.632.2.7.2.5
> src/sys/conf/newvers.sh 1.83.2.6.2.5
> src/contrib/bind9/lib/dns/rbtdb.c 1.3.4.1
> src/contrib/bind9/lib/dns/include/dns/types.h 1.2.4.1
> src/contrib/bind9/lib/dns/resolver.c 1.6.4.1
> src/contrib/bind9/lib/dns/masterdump.c 1.3.4.1
> src/contrib/bind9/lib/dns/validator.c 1.4.4.1
> src/contrib/bind9/bin/named/query.c 1.3.4.1
> - -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/6/ r200394
> releng/6.4/ r201679
> releng/6.3/ r201679
> stable/7/ r200393
> releng/7.2/ r201679
> releng/7.1/ r201679
> stable/8/ r200383
> releng/8.0/ r201679
> head/ r199958
> - -------------------------------------------------------------------------
>
> VII. References
>
> https://www.isc.org/node/504
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (FreeBSD)
>
> iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K
> RUb5Kn+O1qc/FUzEQ12AmrA=
> =Pfoo
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list