1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200903-14 / bind |
| Release Date | March 09, 2009 |
| Latest Revision | March 09, 2009: 01 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-dns/bind | < 9.4.3_p1 | >= 9.4.3_p1 | All supported architectures |
Related bugreports: #254134, #257949
Incomplete verification of RSA and DSA certificates might lead to spoofed records authenticated using DNSSEC.
ISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol.
BIND does not properly check the return value from the OpenSSL functions to verify DSA (CVE-2009-0025) and RSA (CVE-2009-0265) certificates.
A remote attacker could bypass validation of the certificate chain to spoof DNSSEC-authenticated records.
There is no known workaround at this time.
All BIND users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p1" |