bind9 - denial of service

Several remote vulnerabilities have been discovered in BIND, an
implementation of the DNS protocol suite. The Common Vulnerabilities
and Exposures project identifies the following problems:

• CVE-2010-3762
  When DNSSEC validation is enabled, BIND does not properly
  handle certain bad signatures if multiple trust anchors exist
  for a single zone, which allows remote attackers to cause a
  denial of service (server crash) via a DNS query.
• CVE-2010-3614
  BIND does not properly determine the security status of an NS
  RRset during a DNSKEY algorithm rollover, which may lead to
  zone unavailability during rollovers.
• CVE-2010-3613
  BIND does not properly handle the combination of signed
  negative responses and corresponding RRSIG records in the
  cache, which allows remote attackers to cause a denial of
  service (server crash) via a query for cached data.

In addition, this security update improves compatibility with
previously installed versions of the bind9 package. As a result, it
is necessary to initiate the update with “apt-get dist-upgrade”
instead of “apt-get update”.

For the stable distribution (lenny), these problems have been fixed in
version 1:9.6.ESV.R3+dfsg-0+lenny1.

For the upcoming stable distribution (squeeze) and the unstable
distribution (sid), these problems have been fixed in version
1:9.7.2.dfsg.P3-1.

We recommend that you upgrade your bind9 packages.