[OpenPKG-SA-2006.029] OpenPKG Security Advisory (bind)

2006-11-05T00:00:00
ID SECURITYVULNS:DOC:14920
Type securityvulns
Reporter Securityvulns
Modified 2006-11-05T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1


OpenPKG Security Advisory OpenPKG GmbH http://openpkg.org/security/ http://openpkg.com OpenPKG-SA-2006.029 2006-11-04


Package: bind Vulnerability: signature verification failure OpenPKG Specific: no

Affected Series: Affected Packages: Corrected Packages: E1.0-SOLID <= bind-9.3.2-E1.0.0 >= bind-9.3.2-E1.0.1 2-STABLE-20061018 <= bind-9.3.2-2.20061018 >= bind-9.3.2p2-2.20061104 2-STABLE <= bind-9.3.2-2.20061018 >= bind-9.3.2p2-2.20061104 CURRENT <= bind-9.3.2-20061013 >= bind-9.3.2p2-20061104

Description: According to a vendor security advisory [0], the DNS server BIND [1] (versions up to and including 9.3.2-P1) is vulnerable to the recently discovered OpenSSL RSA signature verification problem for which the Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-4339 [2].

BIND uses RSA cryptography as part of its DNSSEC implementation. To resolve the security issue, upgrade to the corrected OpenPKG packages and for both your KEY and DNSKEY resource record types, generate new RSASHA1 and RSAMD5 keys using the "-e" option to dnssec-keygen(8) if the current keys were generated using the default exponent of 3. You can determine if your keys are vulnerable by looking at the algorithm (1 or 5) and the first three characters of the Base64 encoded RSA key. RSASHA1 (5) and RSAMD5 (1) keys that start with "AQM", "AQN", "AQO" or "AQP" are vulnerable.


References: [0] http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445 [1] http://www.isc.org/sw/bind/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339


For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) which you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the instructions on http://openpkg.org/security/signatures/ for details on how to verify the integrity of this advisory.


-----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQFFTIxWgHWT4GPEy58RAlu0AKCMSPyWef3lN4DkDeG3ozE/6GJR2ACg349w 9CPsNmqxAi/7ctIdIFnuASY= =WU4O -----END PGP SIGNATURE-----