(RHSA-2008:0533) Important: bind security update

2008-07-0800:00:00

access.redhat.com

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.131 Low

EPSS

Percentile

95.0%

JSON

ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols.

The DNS protocol protects against spoofing attacks by requiring an attacker
to predict both the DNS transaction ID and UDP source port of a request. In
recent years, a number of papers have found problems with DNS
implementations which make it easier for an attacker to perform DNS
cache-poisoning attacks.

Previous versions of BIND did not use randomized UDP source ports. If an
attacker was able to predict the random DNS transaction ID, this could make
DNS cache-poisoning attacks easier. In order to provide more resilience,
BIND has been updated to use a range of random UDP source ports.
(CVE-2008-1447)

Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4
and 5 to allow BIND to use random UDP source ports.

Users of BIND are advised to upgrade to these updated packages, which
contain a backported patch to add this functionality.

Red Hat would like to thank Dan Kaminsky for reporting this issue.

OSVersionArchitecturePackageVersionFilename
RedHat4s390bind-chroot< 9.2.4-28.0.1.el4bind-chroot-9.2.4-28.0.1.el4.s390.rpm
RedHat5s390xbind-libbind-devel< 9.3.4-6.0.1.P1.el5_2bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.s390x.rpm
RedHat5x86_64bind-chroot< 9.3.4-6.0.1.P1.el5_2bind-chroot-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
RedHat5ppc64bind-libbind-devel< 9.3.4-6.0.1.P1.el5_2bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.ppc64.rpm
RedHat5ppcbind-libs< 9.3.4-6.0.2.P1.el5_2bind-libs-9.3.4-6.0.2.P1.el5_2.ppc.rpm
RedHat5s390xbind-chroot< 9.3.4-6.0.2.P1.el5_2bind-chroot-9.3.4-6.0.2.P1.el5_2.s390x.rpm
RedHat5x86_64bind-libs< 9.3.4-6.0.2.P1.el5_2bind-libs-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
RedHat4s390xbind-libs< 9.2.4-28.0.1.el4bind-libs-9.2.4-28.0.1.el4.s390x.rpm
RedHat4ppcbind< 9.2.4-28.0.1.el4bind-9.2.4-28.0.1.el4.ppc.rpm
RedHat5noarchselinux-policy< 2.4.6-137.1.el5_2selinux-policy-2.4.6-137.1.el5_2.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	4	s390	bind-chroot	< 9.2.4-28.0.1.el4	bind-chroot-9.2.4-28.0.1.el4.s390.rpm
RedHat	5	s390x	bind-libbind-devel	< 9.3.4-6.0.1.P1.el5_2	bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.s390x.rpm
RedHat	5	x86_64	bind-chroot	< 9.3.4-6.0.1.P1.el5_2	bind-chroot-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
RedHat	5	ppc64	bind-libbind-devel	< 9.3.4-6.0.1.P1.el5_2	bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.ppc64.rpm
RedHat	5	ppc	bind-libs	< 9.3.4-6.0.2.P1.el5_2	bind-libs-9.3.4-6.0.2.P1.el5_2.ppc.rpm
RedHat	5	s390x	bind-chroot	< 9.3.4-6.0.2.P1.el5_2	bind-chroot-9.3.4-6.0.2.P1.el5_2.s390x.rpm
RedHat	5	x86_64	bind-libs	< 9.3.4-6.0.2.P1.el5_2	bind-libs-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
RedHat	4	s390x	bind-libs	< 9.2.4-28.0.1.el4	bind-libs-9.2.4-28.0.1.el4.s390x.rpm
RedHat	4	ppc	bind	< 9.2.4-28.0.1.el4	bind-9.2.4-28.0.1.el4.ppc.rpm
RedHat	5	noarch	selinux-policy	< 2.4.6-137.1.el5_2	selinux-policy-2.4.6-137.1.el5_2.noarch.rpm