Lucene search

K
centosCentOS ProjectCESA-2008:0533-03
HistoryJul 09, 2008 - 1:20 a.m.

bind security update

2008-07-0901:20:56
CentOS Project
lists.centos.org
60

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.101 Low

EPSS

Percentile

94.8%

CentOS Errata and Security Advisory CESA-2008:0533-03

ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols.

The DNS protocol protects against spoofing attacks by requiring an attacker
to predict both the DNS transaction ID and UDP source port of a request. In
recent years, a number of papers have found problems with DNS
implementations which make it easier for an attacker to perform DNS
cache-poisoning attacks.

Previous versions of BIND did not use randomized UDP source ports. If an
attacker was able to predict the random DNS transaction ID, this could make
DNS cache-poisoning attacks easier. In order to provide more resilience,
BIND has been updated to use a range of random UDP source ports.
(CVE-2008-1447)

Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4
and 5 to allow BIND to use random UDP source ports.

Users of BIND are advised to upgrade to these updated packages, which
contain a backported patch to add this functionality.

Red Hat would like to thank Dan Kaminsky for reporting this issue.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2008-July/077244.html

Affected packages:
bind
bind-devel
bind-utils

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.101 Low

EPSS

Percentile

94.8%