ID CESA-2010:0976 Type centos Reporter CentOS Project Modified 2010-12-13T20:18:10
Description
CentOS Errata and Security Advisory CESA-2010:0976
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
It was discovered that named did not invalidate previously cached RRSIG
records when adding an NCACHE record for the same entry to the cache. A
remote attacker allowed to send recursive DNS queries to named could use
this flaw to crash named. (CVE-2010-3613)
A flaw was found in the DNSSEC validation code in named. If named had
multiple trust anchors configured for a zone, a response to a request for a
record in that zone with a bad signature could cause named to crash.
(CVE-2010-3762)
It was discovered that, in certain cases, named did not properly perform
DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY
algorithm rollover. This flaw could cause the validator to incorrectly
determine that the zone is insecure and not protected by DNSSEC.
(CVE-2010-3614)
All BIND users are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues. After installing the
update, the BIND daemon (named) will be restarted automatically.
Merged security bulletin from advisories:
http://lists.centos.org/pipermail/centos-announce/2010-December/017209.html
http://lists.centos.org/pipermail/centos-announce/2010-December/017210.html
{"id": "CESA-2010:0976", "bulletinFamily": "unix", "title": "bind, caching security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:0976\n\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached RRSIG\nrecords when adding an NCACHE record for the same entry to the cache. A\nremote attacker allowed to send recursive DNS queries to named could use\nthis flaw to crash named. (CVE-2010-3613)\n\nA flaw was found in the DNSSEC validation code in named. If named had\nmultiple trust anchors configured for a zone, a response to a request for a\nrecord in that zone with a bad signature could cause named to crash.\n(CVE-2010-3762)\n\nIt was discovered that, in certain cases, named did not properly perform\nDNSSEC validation of an NS RRset for zones in the middle of a DNSKEY\nalgorithm rollover. This flaw could cause the validator to incorrectly\ndetermine that the zone is insecure and not protected by DNSSEC.\n(CVE-2010-3614)\n\nAll BIND users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-December/017209.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-December/017210.html\n\n**Affected packages:**\nbind\nbind-chroot\nbind-devel\nbind-libbind-devel\nbind-libs\nbind-sdb\nbind-utils\ncaching-nameserver\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0976.html", "published": "2010-12-13T20:18:10", "modified": "2010-12-13T20:18:10", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2010-December/017209.html", "reporter": "CentOS Project", "references": ["https://rhn.redhat.com/errata/RHSA-2010-0976.html"], "cvelist": ["CVE-2010-3614", "CVE-2010-3613", "CVE-2010-3762"], "type": "centos", "lastseen": "2017-10-03T18:25:57", "history": [], "edition": 1, "hashmap": [{"key": "affectedPackage", "hash": "a82f92ab91da5f0b94287f1e37fa0e0e"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "144babad515466c6a9f15aa2455219ef"}, {"key": "cvss", "hash": "956b0cce3d9454921494ef535bcdf2a4"}, {"key": "description", "hash": "9cc090cae017c045f8cd225b052b6a57"}, {"key": "href", "hash": "3646624ff1e94990eba0be2dbdfdfb8f"}, {"key": "modified", "hash": "908270901799a3b64f5ac2fffa07a037"}, {"key": "published", "hash": "908270901799a3b64f5ac2fffa07a037"}, {"key": "references", "hash": "c8be54573eee5de51344e927cf358994"}, {"key": "reporter", "hash": "9855627921475e40e00f92d60af14cb3"}, {"key": "title", "hash": "e0647f5e7133aef27c8730c5504558a9"}, {"key": "type", "hash": "cdc872db616ac66adb3166c75e9ad183"}], "hash": "bb53bc9985e34cb92b65f4e8f3cb8dc558150aa2b3fe3d737fe36d65cd42058a", "viewCount": 0, "enchantments": {"vulnersScore": 8.3}, "objectVersion": "1.3", "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-utils-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-utils", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "any", "operator": "lt", "packageFilename": "bind-9.3.6-4.P1.el5_5.3.src.rpm", "packageName": "bind", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "any", "operator": "lt", "packageFilename": "bind-9.3.6-4.P1.el5_5.3.src.rpm", "packageName": "bind", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "bind-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "bind", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "bind-devel-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "bind-devel", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "bind-utils-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "bind-utils", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "bind-libs-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "bind-libs", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "caching-nameserver-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "caching-nameserver", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-libs-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-libs", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-libs-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-libs", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-sdb-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-sdb", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "caching-nameserver-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "caching-nameserver", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-devel-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-devel", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-devel-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-devel", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "bind-chroot-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "bind-chroot", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-libbind-devel-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-libbind-devel", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-libbind-devel-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-libbind-devel", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "i386", "operator": "lt", "packageFilename": "bind-chroot-9.3.6-4.P1.el5_5.3.i386.rpm", "packageName": "bind-chroot", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "bind-libbind-devel-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "bind-libbind-devel", "packageVersion": "9.3.6-4.P1.el5_5.3"}, {"OS": "CentOS", "OSVersion": "5", "arch": "x86_64", "operator": "lt", "packageFilename": "bind-sdb-9.3.6-4.P1.el5_5.3.x86_64.rpm", "packageName": "bind-sdb", "packageVersion": "9.3.6-4.P1.el5_5.3"}]}
{"result": {"cve": [{"id": "CVE-2010-3614", "type": "cve", "title": "CVE-2010-3614", "description": "named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover.", "published": "2010-12-06T08:44:54", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3614", "cvelist": ["CVE-2010-3614"], "lastseen": "2016-09-03T14:23:20"}, {"id": "CVE-2010-3613", "type": "cve", "title": "CVE-2010-3613", "description": "named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data.", "published": "2010-12-06T08:44:54", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3613", "cvelist": ["CVE-2010-3613"], "lastseen": "2017-09-19T13:37:06"}, {"id": "CVE-2010-3762", "type": "cve", "title": "CVE-2010-3762", "description": "ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (daemon crash) via a DNS query.", "published": "2010-10-05T18:00:06", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3762", "cvelist": ["CVE-2010-3762"], "lastseen": "2016-09-03T14:25:15"}], "f5": [{"id": "F5:K12567", "type": "f5", "title": "BIND vulnerability CVE-2010-3614", "description": "**Note**: For information about signing up to receive security notice updates from F5, refer to [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>).\n\n**Note**: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about F5's security policy regarding evaluating older and unsupported versions of F5 products, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n**F5 products and versions that have been evaluated for this Security Advisory**\n\nProduct | Affected | Not Affected \n---|---|--- \nBIG-IP LTM | None | *9.0.0 - 9.4.8 \n*10.0.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \n \nBIG-IP GTM | None | *9.2.2 - 9.4.8 \n*10.0.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \nBIG-IP ASM | None | *9.2.0 - 9.4.8 \n*10.0.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \nBIG-IP Link Controller | None | *9.2.2 - 9.4.8 \n*10.0.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \nBIG-IP WebAccelerator | None | *9.4.0 - 9.4.8 \n*10.0.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \n \nBIG-IP PSM | None | *9.4.5 - 9.4.8 \n*10.0.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \n \nBIG-IP WOM | None | *10.0.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \n \nBIG-IP APM | None | *10.1.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \n \nBIG-IP Edge Gateway | None | *10.1.0 - 10.2.1 \n10.2.1 HF1 \n10.2.2 - 10.2.4 \n11.x \n \nBIG-IP Analytics | None | 11.x \nBIG-IP AFM | None \n| 11.x \n \nBIG-IP PEM \n| None \n| 11.x \n \nBIG-IP AAM | None | 11.x \nFirePass | None | 5.x \n6.x \n7.x \nEnterprise Manager | None | *1.0.0 - 2.3.0 \n3.x \nARX | None | 2.x \n3.x \n4.x \n5.x \n6.x \n \n* F5 Product Development has determined that these BIG-IP and Enterprise Manager versions use a vulnerable version of BIND. However, the vulnerable code is not used by default on these BIG-IP or Enterprise Manager systems.\n\nThis security advisory describes a **BIND** vulnerability.\n\nFor information about this advisory, refer to the Common Vulnerabilities and Exposures website at the following location:\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614>\n\nF5 Product Development tracked an update to a version of BIND which mitigates this vulnerability, as ID 345944 and it was fixed in BIG-IP 10.2.2. BIND was updated to a non-vulnerable version in BIG-IP 10.2.1 HF1. You may download the 10.2.1 HF1 hotfix or later versions of the hotfix from the F5 [Downloads](<http://downloads.f5.com/esd/index.jsp>) site.\n\nIn addition, [BIG-IP iHealth](<http://www.f5.com/services/customer-support/ihealth/>) may list Heuristic H383256 on the Diagnostics > Identified > Medium screen.\n\nFor a list of the latest available hotfixes, refer to [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>).\n\nFor information about the F5 hotfix policy, refer to [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>).\n\nFor information about how to manage F5 product hotfixes, refer to [K6845: Managing F5 product hotfixes](<https://support.f5.com/csp/article/K6845>).\n\nFor information about installing version 10.x hotfixes, refer to in [K10025: Managing F5 product hotfixes for BIG-IP 10.x systems](<https://support.f5.com/csp/article/K10025>).\n", "published": "2011-01-28T02:14:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K12567", "cvelist": ["CVE-2010-3614"], "lastseen": "2017-10-12T02:11:13"}, {"id": "SOL12567", "type": "f5", "title": "SOL12567 - BIND vulnerability CVE-2010-3614", "description": "* F5 Product Development has determined that these BIG-IP and Enterprise Manager versions use a vulnerable version of BIND. However, the vulnerable code is not used by default on these BIG-IP or Enterprise Manager systems.\n\nThis security advisory describes a **BIND** vulnerability.\n\nFor information about this advisory, refer to the Common Vulnerabilities and Exposures website at the following location:\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614>\n\nF5 Product Development tracked an update to a version of BIND which mitigates this vulnerability, as ID 345944 and it was fixed in BIG-IP 10.2.2. BIND was updated to a non-vulnerable version in BIG-IP 10.2.1 HF1. You may download the 10.2.1 HF1 hotfix or later versions of the hotfix from the F5 [Downloads](<http://downloads.f5.com/esd/index.jsp>) site.\n\nIn addition, [BIG-IP iHealth](<http://www.f5.com/services/customer-support/ihealth/>) may list Heuristic H383256 on the Diagnostics > Identified > Medium screen.\n\nFor a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.\n\nFor information about the F5 hotfix policy, refer to SOL4918: Overview of the F5 critical issue hotfix policy.\n\nFor information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.\n\nFor information about installing version 10.x hotfixes, refer to in SOL10025: Managing F5 product hotfixes for BIG-IP 10.x systems.\n", "published": "2011-01-27T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/12000/500/sol12567.html", "cvelist": ["CVE-2010-3614"], "lastseen": "2016-09-26T17:23:08"}, {"id": "F5:K12851", "type": "f5", "title": "BIND vulnerability CVE-2010-3613", "description": "**Note**: For information about signing up to receive security notice updates from F5, refer to [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>).\n\n**Note**: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n**F5 products and versions that have been evaluated for this Security Advisory**\n\nProduct | Affected | Not Affected \n---|---|--- \nBIG-IP LTM | None | 9.x \n10.x \n11.x \nBIG-IP GTM | None | 9.x \n10.x \n11.x \nBIG-IP ASM | None | 9.x \n10.x \n11.x \nBIG-IP Link Controller | None | 9.x \n10.x \n11.x \nBIG-IP WebAccelerator | None | 9.x \n10.x \n11.x \nBIG-IP PSM | None | 9.x \n10.x \n11.x \nBIG-IP WOM | None | 10.x \n11.x \nBIG-IP APM | None | 10.x \n11.x \nBIG-IP Edge Gateway | None | 10.x \n11.x \nBIG-IP Analytics | None | 11.x \nBIG-IP AFM | None | 11.x \nBIG-IP PEM \n| None | 11.x \nBIG-IP AAM | None | 11.x \nFirePass | None | 5.x \n6.x \n7.x \nEnterprise Manager | None | 1.x \n2.x \n3.x \nARX | None | 4.x \n5.x \n6.x \n \nThis security advisory describes a **BIND** vulnerability.\n\nFor information about this advisory, refer to the Common Vulnerabilities and Exposures website at the following location:\n\n**Note**: The following link will take you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613>\n", "published": "2011-05-14T03:04:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K12851", "cvelist": ["CVE-2010-3613"], "lastseen": "2017-10-12T02:11:22"}, {"id": "SOL12851", "type": "f5", "title": "SOL12851 - BIND vulnerability CVE-2010-3613", "description": "This security advisory describes a **BIND** vulnerability.\n\nFor information about this advisory, refer to the Common Vulnerabilities and Exposures website at the following location:\n\n**Note**: The following link will take you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613>\n", "published": "2011-05-13T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12851.html", "cvelist": ["CVE-2010-3613"], "lastseen": "2016-05-30T21:02:09"}, {"id": "SOL15172", "type": "f5", "title": "SOL15172 - BIND vulnerability CVE-2010-3762", "description": "* F5 Product Development has determined that these BIG-IP and Enterprise Manager versions use a vulnerable version of BIND. However, the vulnerable code is not used by default on these BIG-IP or Enterprise Manager systems. These products are only vulnerable if BIND was manually configured.\n\n \nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n", "published": "2014-04-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15172.html", "cvelist": ["CVE-2010-3762"], "lastseen": "2016-09-26T17:22:57"}], "cert": [{"id": "VU:837744", "type": "cert", "title": "ISC BIND named validator vulnerability", "description": "### Overview\n\nISC BIND named contains a vulnerability where under certain situations it could incorrectly mark zone data as insecure.\n\n### Description\n\nAccording to [ISC](<https://www.isc.org/software/bind/advisories/cve-2010-3614>): \n\n_named, acting as a DNSSEC validator, was determining if an NS RRset is insecure based on a value that could mean either that the RRset is actually insecure or that there wasn't a matching key for the RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY RRset. \nThis can happen when in the middle of a DNSKEY algorithm rollover, when two different algorithms were used to sign a zone but only the new set of keys are in the zone DNSKEY RRset._ \n \n--- \n \n### Impact\n\nAnswers are marked incorrectly as insecure. \n \n--- \n \n### Solution\n\n**Apply an update \n \n**Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.** \n** \nThis vulnerability is addressed in ISC BIND versions 9.4-ESV-R4, 9.6.2-P3 or 9.6-ESV-R3, and 9.7.2-P3. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate. \n \nSee also <https://www.isc.org/software/bind/advisories/cve-2010-3614> \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nInternet Systems Consortium| | -| 01 Dec 2010 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23837744 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <https://www.isc.org/software/bind/advisories/cve-2010-3614>\n * <http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories>\n\n### Credit\n\nThanks to Internet Systems Consortium for reporting this vulnerability.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n * CVE IDs: [CVE-2010-3614](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3614>)\n * Date Public: 01 Dec 2010\n * Date First Published: 01 Dec 2010\n * Date Last Updated: 01 Dec 2010\n * Severity Metric: 7.65\n * Document Revision: 17\n\n", "published": "2010-12-01T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/837744", "cvelist": ["CVE-2010-3614", "CVE-2010-3614"], "lastseen": "2016-02-03T09:12:07"}, {"id": "VU:706148", "type": "cert", "title": "ISC BIND cache vulnerability", "description": "### Overview\n\nThe ISC BIND nameserver contains a vulnerability that could allow a remote attacker to cause a denial of service.\n\n### Description\n\nAccording to [ISC](<https://www.isc.org/software/bind/advisories/cve-2010-3613>): \n\n_Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (INSIST)._ \n \n--- \n \n### Impact\n\nA remote attacker could cause the name server on an affected system to crash. ISC notes that this vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled. \n \n--- \n \n### Solution\n\n**Apply an update \n \n**Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.** \n** \nThis vulnerability is addressed in ISC BIND versions 9.4-ESV-R4, 9.6.2-P3, 9.6-ESV-R3, and 9.7.2-P3. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate. \n \nSee also <https://www.isc.org/software/bind/advisories/cve-2010-3613> \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nInternet Systems Consortium| | -| 01 Dec 2010 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23706148 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <https://www.isc.org/software/bind/advisories/cve-2010-3613>\n * <http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories>\n\n### Credit\n\nThanks to Internet Systems Consortium for reporting this vulnerability.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n * CVE IDs: [CVE-2010-3613](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3613>)\n * Date Public: 01 Dec 2010\n * Date First Published: 01 Dec 2010\n * Date Last Updated: 16 Dec 2010\n * Severity Metric: 7.65\n * Document Revision: 22\n\n", "published": "2010-12-01T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/706148", "cvelist": ["CVE-2010-3613", "CVE-2010-3613"], "lastseen": "2016-02-03T09:12:14"}], "openvas": [{"id": "OPENVAS:862711", "type": "openvas", "title": "Fedora Update for bind-dyndb-ldap FEDORA-2010-18521", "description": "Check for the Version of bind-dyndb-ldap", "published": "2010-12-23T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862711", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2018-01-02T10:54:40"}, {"id": "OPENVAS:862712", "type": "openvas", "title": "Fedora Update for dnsperf FEDORA-2010-18521", "description": "Check for the Version of dnsperf", "published": "2010-12-23T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862712", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-12-21T11:32:52"}, {"id": "OPENVAS:1361412562310103030", "type": "openvas", "title": "ISC BIND 9 'RRSIG' Record Type Negative Cache Remote Denial of Service Vulnerability", "description": "ISC BIND is prone to multiple Vulnerabilities.", "published": "2011-01-14T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103030", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-07-02T21:13:40"}, {"id": "OPENVAS:1361412562310862712", "type": "openvas", "title": "Fedora Update for dnsperf FEDORA-2010-18521", "description": "Check for the Version of dnsperf", "published": "2010-12-23T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862712", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2018-01-18T11:04:56"}, {"id": "OPENVAS:840545", "type": "openvas", "title": "Ubuntu Update for bind9 vulnerabilities USN-1025-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1025-1", "published": "2010-12-09T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=840545", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-12-04T11:18:17"}, {"id": "OPENVAS:1361412562310122263", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2010-0975", "description": "Oracle Linux Local Security Checks ELSA-2010-0975", "published": "2015-10-06T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122263", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-07-24T12:52:23"}, {"id": "OPENVAS:1361412562310840545", "type": "openvas", "title": "Ubuntu Update for bind9 vulnerabilities USN-1025-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1025-1", "published": "2010-12-09T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840545", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-12-21T11:33:15"}, {"id": "OPENVAS:1361412562310862711", "type": "openvas", "title": "Fedora Update for bind-dyndb-ldap FEDORA-2010-18521", "description": "Check for the Version of bind-dyndb-ldap", "published": "2010-12-23T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862711", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2018-01-23T13:05:47"}, {"id": "OPENVAS:862707", "type": "openvas", "title": "Fedora Update for bind FEDORA-2010-18469", "description": "Check for the Version of bind", "published": "2010-12-23T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862707", "cvelist": ["CVE-2010-3615", "CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-12-21T11:32:26"}, {"id": "OPENVAS:862710", "type": "openvas", "title": "Fedora Update for bind FEDORA-2010-18521", "description": "Check for the Version of bind", "published": "2010-12-23T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862710", "cvelist": ["CVE-2010-0213", "CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-12-20T13:18:37"}], "nessus": [{"id": "FEDORA_2010-18521.NASL", "type": "nessus", "title": "Fedora 13 : bind-dyndb-ldap-0.1.0-0.10.a1.20091210git.fc13 / bind-9.7.2-1.P3.fc13 / etc (2010-18521)", "description": "Update to 9.7.2-P3 release which contains various security fixes.\n\nThis update also provides bind-dyndb-ldap and dnsperf packages rebuild against updated bind.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2010-12-08T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=51067", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:43:23"}, {"id": "UBUNTU_USN-1025-1.NASL", "type": "nessus", "title": "Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : bind9 vulnerabilities (USN-1025-1)", "description": "It was discovered that Bind would incorrectly allow a ncache entry and a rrsig for the same type. A remote attacker could exploit this to cause Bind to crash, resulting in a denial of service. (CVE-2010-3613)\n\nIt was discovered that Bind would incorrectly mark zone data as insecure when the zone is undergoing a key algorithm rollover.\n(CVE-2010-3614).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2010-12-02T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=50970", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:36:59"}, {"id": "AIX_IV01118.NASL", "type": "nessus", "title": "AIX 6.1 TL 4 : bind9 (IV01118)", "description": "The security status of an NS RRset is not properly determined during a DNSKEY algorithm rollover which can allow a remote attacker to cause a denial of service.\n\nSigned negative responses and corresponding RRSIG records in the cache are not properly handled which can allow a remote attacker to cause a denial of service.", "published": "2013-01-24T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63695", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:46:00"}, {"id": "AIX_IZ99391.NASL", "type": "nessus", "title": "AIX 5.3 TL 12 : bind9 (IZ99391)", "description": "The security status of an NS RRset is not properly determined during a DNSKEY algorithm rollover which can allow a remote attacker to cause a denial of service.\n\nSigned negative responses and corresponding RRSIG records in the cache are not properly handled which can allow a remote attacker to cause a denial of service.", "published": "2013-01-24T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63827", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:42:37"}, {"id": "AIX_IV01119.NASL", "type": "nessus", "title": "AIX 7.1 TL 0 : bind9 (IV01119)", "description": "The security status of an NS RRset is not properly determined during a DNSKEY algorithm rollover which can allow a remote attacker to cause a denial of service.\n\nSigned negative responses and corresponding RRSIG records in the cache are not properly handled which can allow a remote attacker to cause a denial of service.", "published": "2013-01-24T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63696", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:42:13"}, {"id": "REDHAT-RHSA-2010-0975.NASL", "type": "nessus", "title": "RHEL 6 : bind (RHSA-2010:0975)", "description": "Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613)\n\nIt was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614)\n\nAll BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.", "published": "2010-12-14T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=51153", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:43:22"}, {"id": "SUSE_11_3_BIND-101207.NASL", "type": "nessus", "title": "openSUSE Security Update : bind (openSUSE-SU-2010:1031-1)", "description": "Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (CVE-2010-3613).\n\nbind did not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover (CVE-2010-3614).", "published": "2014-06-13T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=75437", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:44:45"}, {"id": "ORACLELINUX_ELSA-2010-0975.NASL", "type": "nessus", "title": "Oracle Linux 6 : bind (ELSA-2010-0975)", "description": "From Red Hat Security Advisory 2010:0975 :\n\nUpdated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613)\n\nIt was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614)\n\nAll BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.", "published": "2013-07-12T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68161", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:40:28"}, {"id": "SUSE_11_2_BIND-101207.NASL", "type": "nessus", "title": "openSUSE Security Update : bind (openSUSE-SU-2010:1031-1)", "description": "Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (CVE-2010-3613).\n\nbind did not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover (CVE-2010-3614).", "published": "2011-05-05T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53698", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2017-10-29T13:40:55"}, {"id": "CENTOS_RHSA-2010-0976.NASL", "type": "nessus", "title": "CentOS 5 : bind (CESA-2010:0976)", "description": "Updated bind packages that fix three security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613)\n\nA flaw was found in the DNSSEC validation code in named. If named had multiple trust anchors configured for a zone, a response to a request for a record in that zone with a bad signature could cause named to crash. (CVE-2010-3762)\n\nIt was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614)\n\nAll BIND users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.", "published": "2010-12-14T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=51145", "cvelist": ["CVE-2010-3614", "CVE-2010-3613", "CVE-2010-3762"], "lastseen": "2017-10-29T13:38:26"}], "redhat": [{"id": "RHSA-2010:0975", "type": "redhat", "title": "(RHSA-2010:0975) Important: bind security update", "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached RRSIG\nrecords when adding an NCACHE record for the same entry to the cache. A\nremote attacker allowed to send recursive DNS queries to named could use\nthis flaw to crash named. (CVE-2010-3613)\n\nIt was discovered that, in certain cases, named did not properly perform\nDNSSEC validation of an NS RRset for zones in the middle of a DNSKEY\nalgorithm rollover. This flaw could cause the validator to incorrectly\ndetermine that the zone is insecure and not protected by DNSSEC.\n(CVE-2010-3614)\n\nAll BIND users are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve these issues. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n", "published": "2010-12-13T05:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0975", "cvelist": ["CVE-2010-3613", "CVE-2010-3614"], "lastseen": "2017-12-25T20:04:58"}, {"id": "RHSA-2010:0976", "type": "redhat", "title": "(RHSA-2010:0976) Important: bind security update", "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached RRSIG\nrecords when adding an NCACHE record for the same entry to the cache. A\nremote attacker allowed to send recursive DNS queries to named could use\nthis flaw to crash named. (CVE-2010-3613)\n\nA flaw was found in the DNSSEC validation code in named. If named had\nmultiple trust anchors configured for a zone, a response to a request for a\nrecord in that zone with a bad signature could cause named to crash.\n(CVE-2010-3762)\n\nIt was discovered that, in certain cases, named did not properly perform\nDNSSEC validation of an NS RRset for zones in the middle of a DNSKEY\nalgorithm rollover. This flaw could cause the validator to incorrectly\ndetermine that the zone is insecure and not protected by DNSSEC.\n(CVE-2010-3614)\n\nAll BIND users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n", "published": "2010-12-13T05:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0976", "cvelist": ["CVE-2010-3613", "CVE-2010-3614", "CVE-2010-3762"], "lastseen": "2017-09-09T07:19:44"}, {"id": "RHSA-2010:1000", "type": "redhat", "title": "(RHSA-2010:1000) Important: bind security update", "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached SIG\nrecords when adding an NCACHE record for the same entry to the cache. A\nremote attacker allowed to send recursive DNS queries to named could use\nthis flaw to crash named. (CVE-2010-3613)\n\nAll BIND users are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n", "published": "2010-12-20T05:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:1000", "cvelist": ["CVE-2010-3613"], "lastseen": "2017-09-09T07:19:34"}], "ubuntu": [{"id": "USN-1025-1", "type": "ubuntu", "title": "Bind vulnerabilities", "description": "It was discovered that Bind would incorrectly allow a ncache entry and a rrsig for the same type. A remote attacker could exploit this to cause Bind to crash, resulting in a denial of service. (CVE-2010-3613)\n\nIt was discovered that Bind would incorrectly mark zone data as insecure when the zone is undergoing a key algorithm rollover. (CVE-2010-3614)", "published": "2010-12-01T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/1025-1/", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2018-03-29T18:18:02"}, {"id": "USN-1139-1", "type": "ubuntu", "title": "Bind vulnerabilities", "description": "It was discovered that Bind incorrectly handled certain bad signatures if multiple trust anchors existed for a single zone. A remote attacker could use this flaw to cause Bind to stop responding, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS and 10.04 LTS. (CVE-2010-3762)\n\nFrank Kloeker and Michael Sinatra discovered that Bind incorrectly handled certain very large RRSIG RRsets included in negative responses. A remote attacker could use this flaw to cause Bind to stop responding, resulting in a denial of service. (CVE-2011-1910)", "published": "2011-05-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/1139-1/", "cvelist": ["CVE-2010-3762", "CVE-2011-1910"], "lastseen": "2018-03-29T18:18:30"}], "oraclelinux": [{"id": "ELSA-2010-0975", "type": "oraclelinux", "title": "bind security update", "description": "[32:9.7.0-5.P2.1]\n- fix CVE-2010-3613 and CVE-2010-3614", "published": "2011-02-10T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0975.html", "cvelist": ["CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2016-09-04T11:16:03"}, {"id": "ELSA-2010-0976", "type": "oraclelinux", "title": "bind security update", "description": "[30:9.3.6-4.P1.3]\n- fixes for CVE-2010-3762, CVE-2010-3613 and CVE-2010-3614", "published": "2010-12-13T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0976.html", "cvelist": ["CVE-2010-3614", "CVE-2010-3613", "CVE-2010-3762"], "lastseen": "2016-09-04T11:16:35"}, {"id": "ELSA-2010-1000", "type": "oraclelinux", "title": "bind security update", "description": "[20:9.2.4-30.6]\n- fix CVE-2010-3613", "published": "2010-12-20T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-1000.html", "cvelist": ["CVE-2010-3613"], "lastseen": "2016-09-04T11:16:20"}], "slackware": [{"id": "SSA-2010-350-01", "type": "slackware", "title": "bind", "description": "New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues that\ncould allow attackers to successfully query private DNS records, or cause a\ndenial of service.\n\n\nHere are the details from the Slackware 13.1 ChangeLog:\n\npatches/packages/bind-9.4_ESV_R4-i486-1_slack13.1.txz: Upgraded.\n This update fixes some security issues.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/bind-9.4_ESV_R4-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/bind-9.4_ESV_R4-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/bind-9.4_ESV_R4-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/bind-9.4_ESV_R4-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/bind-9.4_ESV_R4-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/bind-9.4_ESV_R4-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/bind-9.4_ESV_R4-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/bind-9.4_ESV_R4-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.4_ESV_R4-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/bind-9.4_ESV_R4-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bind-9.4_ESV_R4-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bind-9.4_ESV_R4-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bind-9.4_ESV_R4-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bind-9.4_ESV_R4-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.7.2_P3-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.7.2_P3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\nc6558b863b2c06bd860788d2e063d6b1 bind-9.4_ESV_R4-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\nb8017dc56859c7ea12878fd55a139914 bind-9.4_ESV_R4-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\n1c2a32a60d4f2930040d9eb2ff01298c bind-9.4_ESV_R4-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\n07227e76140a50a530b264ceb2209f80 bind-9.4_ESV_R4-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\n842d8a7d2fcba797ba4a0c4b304ebec0 bind-9.4_ESV_R4-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\n07373bf15e27335132bc8c17690134df bind-9.4_ESV_R4-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\naca01fb99555ccffaa08294f4be13772 bind-9.4_ESV_R4-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n621703e39b34d091e65084a9c80ac015 bind-9.4_ESV_R4-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n57664e1beb3b046949fadf4fa48dec8d bind-9.4_ESV_R4-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n74e1feb7ae425e4f8072cf125f25172f bind-9.4_ESV_R4-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\neaa9031813f824f93d532a0134b8d6f1 bind-9.4_ESV_R4-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n7dce1ab33c6cff13b7be0e95cd72da7a bind-9.4_ESV_R4-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\nc200ff5446cbdbf0ccabdd3b0b085ae4 bind-9.4_ESV_R4-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n3c49a4f64373cf3c47a4c3ef4e2ac159 bind-9.4_ESV_R4-x86_64-1_slack13.1.txz\n\nSlackware -current package:\nc62f701d512980604924dd8b1c022283 bind-9.7.2_P3-i486-1.txz\n\nSlackware x86_64 -current package:\nbc32cc42a4dffd1eed0c0a60a52eb147 bind-9.7.2_P3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bind-9.4_ESV_R4-i486-1_slack13.1.txz\n\nThen, restart the name server:\n\n > /etc/rc.d/rc.bind restart", "published": "2010-12-16T13:45:59", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.622190", "cvelist": ["CVE-2010-3615", "CVE-2010-3614", "CVE-2010-3613"], "lastseen": "2018-02-02T18:11:38"}], "debian": [{"id": "DSA-2130", "type": "debian", "title": "bind9 -- several vulnerabilities", "description": "Several remote vulnerabilities have been discovered in BIND, an implementation of the DNS protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2010-3762](<https://security-tracker.debian.org/tracker/CVE-2010-3762>)\n\nWhen DNSSEC validation is enabled, BIND does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (server crash) via a DNS query.\n\n * [CVE-2010-3614](<https://security-tracker.debian.org/tracker/CVE-2010-3614>)\n\nBIND does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which may lead to zone unavailability during rollovers.\n\n * [CVE-2010-3613](<https://security-tracker.debian.org/tracker/CVE-2010-3613>)\n\nBIND does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (server crash) via a query for cached data.\n\nIn addition, this security update improves compatibility with previously installed versions of the bind9 package. As a result, it is necessary to initiate the update with \"apt-get dist-upgrade\" instead of \"apt-get update\".\n\nFor the stable distribution (lenny), these problems have been fixed in version 1:9.6.ESV.R3+dfsg-0+lenny1.\n\nFor the upcoming stable distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1:9.7.2.dfsg.P3-1.\n\nWe recommend that you upgrade your bind9 packages.", "published": "2010-12-10T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2130", "cvelist": ["CVE-2010-3614", "CVE-2010-3613", "CVE-2010-3762"], "lastseen": "2016-09-02T18:26:04"}], "gentoo": [{"id": "GLSA-201206-01", "type": "gentoo", "title": "BIND: Multiple vulnerabilities", "description": "### Background\n\nBIND is the Berkeley Internet Name Domain Server.\n\n### Description\n\nMultiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nThe vulnerabilities allow remote attackers to cause a Denial of Service (daemon crash) via a DNS query, to bypass intended access restrictions, to incorrectly cache a ncache entry and a rrsig for the same type and to incorrectly mark zone data as insecure. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll bind users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-dns/bind-9.7.4_p1\"\n \n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are available since December 22, 2011. It is likely that your system is already no longer affected by this issue.", "published": "2012-06-02T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201206-01", "cvelist": ["CVE-2011-0414", "CVE-2011-2464", "CVE-2010-3615", "CVE-2011-2465", "CVE-2010-3614", "CVE-2010-3613", "CVE-2011-4313", "CVE-2010-3762", "CVE-2011-1910"], "lastseen": "2016-09-06T19:46:55"}], "vmware": [{"id": "VMSA-2011-0004", "type": "vmware", "title": "VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.", "description": "a. Service Location Protocol daemon DoS \nThis patch fixes a denial-of-service vulnerability in the Service Location Protocol daemon (SLPD). Exploitation of this vulnerability could cause SLPD to consume significant CPU resources. \nVMware would like to thank Nicolas Gregoire and US CERT for reporting this issue to us. \nThe Common Vulnerabilities and Exposures project ([cve.mitre.org](<http://www.cve.mitre.org/>)) has assigned the names CVE-2010-3609 to this issue. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "published": "2011-03-07T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2011-0004.html", "cvelist": ["CVE-2010-3609", "CVE-2010-2059", "CVE-2010-3316", "CVE-2010-3614", "CVE-2010-3613", "CVE-2010-3762", "CVE-2010-3435", "CVE-2010-3853"], "lastseen": "2016-09-04T11:19:25"}], "centos": [{"id": "CESA-2010:1000", "type": "centos", "title": "bind security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:1000\n\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\nlibrary (routines for applications to use when interfacing with DNS); and\ntools for verifying that the DNS server is operating correctly.\n\nIt was discovered that named did not invalidate previously cached SIG\nrecords when adding an NCACHE record for the same entry to the cache. A\nremote attacker allowed to send recursive DNS queries to named could use\nthis flaw to crash named. (CVE-2010-3613)\n\nAll BIND users are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdate, the BIND daemon (named) will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-January/017239.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-January/017240.html\n\n**Affected packages:**\nbind\nbind-chroot\nbind-devel\nbind-libs\nbind-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-1000.html", "published": "2011-01-27T04:19:06", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-January/017239.html", "cvelist": ["CVE-2010-3613"], "lastseen": "2017-10-03T18:26:03"}]}}