Lucene search

HistoryDec 01, 2003 - 12:00 a.m.

ISC BIND 8 vulnerable to cache poisoning via negative responses




Attack Vector


Attack Complexity




Confidentiality Impact


Integrity Impact


Availability Impact








The BIND 8 name server contains a cache poisoning vulnerability that allows attackers to conduct denial-of-service attacks on specific target domains.


Several versions of the BIND 8 name server are vulnerable to cache poisoning via negative responses. To exploit this vulnerability, an attacker must configure a name server to return authoritative negative responses for a given target domain. Then, the attacker must convince a victim user to query the attacker’s maliciously configured name server. When the attacker’s name server receives the query, it will reply with an authoritative negative response containing a large TTL (time-to-live) value. If the victim’s site runs a vulnerable version of BIND 8, it will cache the negative response and render the target domain unreachable until the TTL expires.


Attackers may conduct denial-of-service attacks on specific target domains by enticing users to query a malicious name server.


Upgrade BIND

The ISC has prepared BIND 8.3.7 and BIND 8.4.3 to address this vulnerability. Name servers running BIND 4 are not affected. To obtain the latest versions of BIND, please visit


Apply a patch or updated version from your vendor

Many operating system vendors include BIND with their products and will be preparing new versions to address this vulnerability. For a list of vendors that the CERT/CC has received information from regarding this vulnerability, please see the Systems Affected section of this document.

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Notified: October 21, 2003 Updated: December 11, 2003



Vendor Statement

Mac OS X 10.3 and later: Not Vulnerable. Mac OS X 10.3 uses a later version of BIND that does not have this vulnerability.

Mac OS X 10.2.x: Recommend upgrading to Mac OS X 10.2.8, then installing BIND 8.4.3 as follows:

First install the Developer Tools if they are not already present, then perform the following steps from the command-line in an application such as Terminal:

1. Download BIND version 8.4.3 by executing the following command:
curl -O <;

2. Verify the integrity of this file by typing:
cksum bind-src.tar.gz
which should indicate “3224691664 1438439 bind-src.tar.gz”

3. Unpack the distribution as follows:
tar xvzf bind-src.tar.gz

4. Now you’re ready to start building the distribution.
cd to the src/ directory and type “make”

5. The next step will install the new named daemon:
sudo cp bin/named/named /usr/sbin/

6. Reboot

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

FreeBSD __ Affected

Notified: October 21, 2003 Updated: December 01, 2003



Vendor Statement

Please see <;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.



============================================================================= FreeBSD-SA-03:19.bind Security Advisory
The FreeBSD Project
Topic: bind8 negative cache poison attack
Category: contrib Module: contrib_bind Announced: 2003-11-28 Credits: Internet Software Consortium Affects: FreeBSD versions through 4.9-RELEASE and 5.1-RELEASE
4-STABLE prior to the correction date Corrected: 2003-11-28 22:13:47 UTC (RELENG_4, 4.9-STABLE)
2003-11-27 00:54:53 UTC (RELENG_5_1, 5.1-RELEASE-p11) 2003-11-27 16:54:01 UTC (RELENG_5_0, 5.0-RELEASE-p19) 2003-11-27 00:56:06 UTC (RELENG_4_9, 4.9-RELEASE-p1) 2003-11-27 16:34:22 UTC (RELENG_4_8, 4.8-RELEASE-p14) 2003-11-27 16:35:06 UTC (RELENG_4_7, 4.7-RELEASE-p24) 2003-11-27 16:37:00 UTC (RELENG_4_6, 4.6.2-RELEASE-p27) 2003-11-27 16:38:36 UTC (RELENG_4_5, 4.5-RELEASE-p37) 2003-11-27 16:40:03 UTC (RELENG_4_4, 4.4-RELEASE-p47)
CVE Name: CAN-2003-0914 FreeBSD only: NO
For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit &lt;URL:``&lt;;``&gt;.
I. Background
BIND 8 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is the Internet domain name server.
II. Problem Description
A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response.
III. Impact
An attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS. Almost all Internet applications require DNS, such as the Web, email, and chat networks.
IV. Workaround
No workaround is known.
V. Solution
Do one of the following:
1) Upgrade your vulnerable system to 4.9-STABLE; or to the RELENG_5_1, RELENG_4_9, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date.
2) To patch your present system:
a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.
`[FreeBSD 4.9 and -STABLE systems]

fetch &lt;;

fetch &lt;;

[FreeBSD 4.8 and 5.1 systems]

fetch &lt;;

fetch &lt;;

[FreeBSD 4.4, 4.5, 4.6, 4.7, and 5.0 systems]

fetch &lt;;

fetch &lt;;

b) Execute the following commands as root:
# cd /usr/src

patch < /path/to/patch

cd /usr/src/lib/libbind

make obj && make depend && make

cd /usr/src/lib/libisc

make obj && make depend && make

cd /usr/src/usr.sbin/named

make obj && make depend && make && make install

cd /usr/src/libexec/named-xfer

make obj && make depend && make && make install

After upgrading or patching your system, you must restart named.
Execute the following command as root:
# ndc restart
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path - -------------------------------------------------------------------------
RELENG_4 src/contrib/bind/CHANGES
src/contrib/bind/port/freebsd/include/port_before.h RELENG_5_1
src/contrib/bind/bin/named/ns_resp.c RELENG_5_0
src/contrib/bind/bin/named/ns_resp.c RELENG_4_9
src/contrib/bind/bin/named/ns_resp.c RELENG_4_8
src/contrib/bind/bin/named/ns_resp.c RELENG_4_7
src/contrib/bind/bin/named/ns_resp.c RELENG_4_6
src/contrib/bind/bin/named/ns_resp.c RELENG_4_5
src/contrib/bind/bin/named/ns_resp.c RELENG_4_4
src/contrib/bind/bin/named/ns_resp.c - -------------------------------------------------------------------------
VII. References
Version: GnuPG v1.2.3 (FreeBSD)

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Guardian Digital Inc. __ Affected

Notified: October 21, 2003 Updated: December 02, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.



+------------------------------------------------------------------------+ | Guardian Digital Security Advisory November 26, 2003 | | ``&lt;;`` ESA-20031126-031 | | | | Packages: bind-chroot, bind-chroot-utils | | Summary: cache poisoning vulnerability. | +------------------------------------------------------------------------+
EnGarde Secure Linux is an enterprise class Linux platform engineered to enable corporations to quickly and cost-effectively build a complete and secure Internet presence while preventing Internet threats.


  • -------- A cache poisoning vulnerability exists in the version of BIND shipped
    with all versions of EnGarde Secure Linux. Successful exploitation of
    this vulnerability may result in a temporary denial of service until
    the bad record expires from the cache.`

The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2003-0914 to this issue.

Guardian Digital products affected by this issue include:
EnGarde Secure Community v1.0.1 EnGarde Secure Community 2 EnGarde Secure Professional v1.1 EnGarde Secure Professional v1.2 EnGarde Secure Professional v1.5

It is recommended that all users apply this update as soon as possible.

  • -------- Guardian Digital Secure Network subscribers may automatically update
    affected systems by accessing their account from within the Guardian
    Digital WebTool.`

To modify your GDSN account and contact preferences, please go to:
Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages:
SRPMS/bind-chroot-8.2.6-1.0.30.src.rpm MD5 Sum: 6127e55aaeffe9c92dcf793df910ee75

i386/bind-chroot-8.2.6-1.0.30.i386.rpm MD5 Sum: b631c88d82dc4883df2271204d50abc3

i386/bind-chroot-utils-8.2.6-1.0.30.i386.rpm MD5 Sum: eaac0812f751998c7f5ad66f7ba9d9d4

i686/bind-chroot-8.2.6-1.0.30.i686.rpm MD5 Sum: 4b5ced2b8f72d9df3a340833ef0a60c0

i686/bind-chroot-utils-8.2.6-1.0.30.i686.rpm MD5 Sum: 21f203bb6fad4a5474b179337c395442


BIND's Official Web Site: ``&lt;;

Guardian Digital Advisories: ``&lt;;

Security Contact: [email protected]
- -------------------------------------------------------------------------- Author: Ryan W. Maple &lt;[email protected]&gt; Copyright 2003, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/xTVoHD5cqd57fu0RAvc0AJ9kvIUaS+VjjFaI1Stwj/I1u4IX1ACfSe9P NkyQtP2aIVcE0Ztt4ZV0uuU= =2G9V -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Hewlett-Packard Company __ Affected

Notified: October 21, 2003 Updated: December 03, 2003



Vendor Statement

Document ID: HPSBUX0311-303 Date Loaded: 20031130

Title: SSRT3653 Bind 8.1.2
----------------------------------------------------------------- Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0311-303 Originally issued: 30 November 2003 SSRT3653 Bind 8.1.2 -----------------------------------------------------------------

NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact.
The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible.
PROBLEM: Potential security vulnerability in Bind 8.1.2.
PLATFORM: HP-UX B.11.00 and B.11.11.
IMPACT: Potential remotely exploitable denial of service.
SOLUTION: Until a product upgrade is available, download and install appropriate preliminary updates or upgrade to Bind 9.2.0.

B.11.11 - Install the preliminary depot: SSRT3653UX.depot.
B.11.00 - A Bind 8.1.2 upgrade is available from the ftp site listed below.

The issue can be avoided by upgrading to Bind 9.2.0 which is available now. The security bulletin HPSBUX0208-209 has details about required revisions of Bind 9.2.0 for B.11.00 and B.11.11.

MANUAL ACTIONS: Yes - NonUpdate B.11.11 - Install SSRT3653UX.depot.
or upgrade to Bind 9.2.0. B.11.00 - Upgrade to Bind 9.2.0 or
install BIND812v005.depot.
AVAILABILITY: This bulletin will be revised when a patch is available for B.11.11.

----------------------------------------------------------------- A. Background
The potential for a remotely exploitable denial of service exists in Bind 8.1.2.

The following is a list by HP-UX revision of affected filesets and the fileset revision or patch containing the fix. To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset, then determine if a fixed revision or the applicable patch is installed.

`HP-UX B.11.11

fix: install SSRT3653UX.depot or upgrade to Bind 9.2.0.
HP-UX B.11.00

fix: upgrade to BIND-812 revision B. or upgrade to Bind 9.2.0.
B. Recommended solution
The issue can be avoided by upgrading to
Bind 9.2.0 which is available now. The security
bulletin HPSBUX0208-209 has details about required
revisions of Bind 9.2.0 for B.11.00 and B.11.11.`

`HP-UX B.11.00 Bind 8.1.2

BIND812 for B.11.00 has been discontinued. It will
become obsolete by the end of March, 2004. A new
version of BIND812 for B.11.00 has been created to
address the issue of this bulletin. However, it is
recommended that customers upgrade to Bind 9.2.0 now.
More details can be found here:`


The new version of BIND812 for B.11.00 is available from the ftp site listed below. Since BIND812 for B.11.00 has been discontinued, this version will not be available from

HP-UX B.11.11 Bind 8.1.2 ========================

Until a patch is available a temporary depot has been created to install a version of /usr/sbin/named which addresses the issue. The depot is available from the ftp site listed below. The depot will not install the new named file unless PHNE_28450 has been installed first. PHNE_28450 is available from &lt;&lt;;&gt;.

For B.11.00 download BIND812v005.depot from the following ftp site.

For B.11.11 download SSRT3653UX.depot from the following ftp site.

System: ( Login: bind812 Password: bind812

FTP Access: &lt;ftp://bind:[email protected]/&gt; or: &lt;ftp://bind:[email protected]/&gt;
For B.11.11 - file: SSRT3653UX.depot For B.11.00 - file: BIND812v005.depot

Note: There is an ftp defect in IE5 that may result in a browser hang. To work around this:
`- Select Tools -> Internet Options -> Advanced

  • Un-check the option: [ ] Enable folder view for FTP sites
    If you wish to verify the md5 sum please refer to:
    Patch sums and the MD5 program`

For B11.00 - BIND812v005.depot cksum: 1413515727 1239040 BIND812v005.depot MD5 (BIND812v005.depot) = 333920fa1b74820bee15f2287bacc3c2

For B.11.11 - SSRT3653UX.depot cksum: 509054485 389120 SSRT3653UX.depot MD5 (SSRT3653UX.depot) = ee96c169ec3712d5907b7fe983d108dc

For B.11.00 - Install BIND812v005.depot using swinstall.
For B.11.11 - Install SSRT3653UX.depot using swinstall after PHNE_28450 has been installed.

Further information is available in the readme file: cd &lt;directory containing SSRT3653UX.depot&gt; swlist -d -l product -a readme @ $PWD/SSRT3653UX.depot

- ------------------------------------------------------------------
C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:

Use your browser to get to the HP IT Resource Center page at:

Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page.

To -review- bulletins already released, select the link (in the middle column) for the appropriate digest.

To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems.

For information on the Security Patch Check tool, see: &lt;;

The security patch matrix is also available via anonymous ftp:

On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive".

D. To report new security vulnerabilities, send email to
[email protected]
Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to [email protected].

(c) Copyright 2003 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners.
-----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2
iQA/AwUBP8oPruAfOvwtKn1ZEQJTlwCg2y1qe8rZiKbUPHuCPkFbIIhVaPkAnja2 /Nbi2zNFnmk0FQ0mtBxKx48U =L5yo -----END PGP SIGNATURE----- -----End of Document ID: HPSBUX0311-303--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

IBM __ Affected

Notified: October 21, 2003 Updated: December 03, 2003



Vendor Statement

The AIX operating system is vulnerable to the BIND8 cache poisoning attack in releases 4.3.3, 5.1.0 and 5.2.0 . The APAR’s for this fix and their availablity are listed below.

APAR number for AIX 4.3.3: IY49899 (available 2/25/2004)
APAR number for AIX 5.1.0: IY49881 (available)
APAR number for AIX 5.2.0: IY49883 (available 12/24/2003)

These APARs can be downloaded by following the link for IBM’s Fix Central at:

Efix packages for 4.3.3 and 5.2.0 will be available by 12/02/2004 at:


Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


IBM has published APAR IY49881 regarding this vulnerability. For more information, please see:

Immunix __ Affected

Updated: December 01, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


[Outlook and Notes users -- please ask your system administrators to assist you in creating out-of-office-autoreplies that respect public mail lists; perhaps, creating such a reply that works only within the organization or business partners.]

[Virus scanner administrators -- sending virus warnings to a From: or From_ header is a waste of time. Please configure your scanners to drop mail in the SMTP protocol, and not bounce the email after the fact. Thanks.]
----------------------------------------------------------------------- Immunix Secured OS Security Advisory

`Packages updated:bind
Affected products:Immunix OS 7+
Bugs fixed:VU#734644 CAN-2003-0914
Date:Mon Oct 27 2003
Advisory ID:IMNX-2003-7±024-01
Author:Seth Arnold <[email protected]>

A vulnerability has been found in BIND that “… allows an attacker to
conduct cache poisoning attacks on vulnerable name servers by
convincing the servers to retain invalid negative responses.”`

Our bind-8.2.3-3.3_imnx_5 packages fix this problem using a patch derived from the BIND 8.3.7 release. This vulnerability has been named CAN-2003-0914 by the CVE project.

We'd like to apologize to our US subscribers for the incredibly poor timing, to release this notice a day before the Thanksgiving holiday. Our options were limited by ISC, the package maintainer.

References: ``&lt;;`` ``&lt;;

Package names and locations: Precompiled binary packages for Immunix 7+ are available at: ``&lt;;`` ``&lt;;`` ``&lt;;

A source package for Immunix 7+ is available at: ``&lt;;

Immunix OS 7+ md5sums: 8a5874f96e1c76b11c214ab16e1183f4 RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm 83535ea7a69ab222ccf5c8664bfd66b9 RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm 7669fedc653731bf54cc0dd48b258a8f RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm 445c908f0c4daffe0a153bc7e5514a85 SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm

GPG verification: Our public keys are available at ``&lt;;`` Immunix, Inc., has changed policy with GPG keys. We maintain several keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for Immunix 7.3 package signing, and 1B7456DA for general security issues.

NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try:
&lt;;`` or one of the many mirrors available at:
ImmunixOS 6.2 is no longer officially supported. ImmunixOS 7.0 is no longer officially supported.

Contact information: To report vulnerabilities, please contact [email protected]. Immunix attempts to conform to the RFP vulnerability disclosure protocol

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Internet Software Consortium __ Affected

Notified: September 04, 2003 Updated: December 01, 2003



Vendor Statement

Internet Software Consortium Security Advisory. Negative Cache Poison Attack

4 September 2003
Versions affected: BIND 8 prior to 8.3.7 BIND 8.4.3 Release (8.4.3-REL)
BIND 8.4.3 is a maintenance release of BIND 8.4. It includes the BIND 8.4.2 release which includes a security fix (also released as BIND 8.3.7).
Highlights. Maintenance Release.

Highlights (8.4.2) Security Fix: Negative Cache Poison Fix.

the distribution files are:
&lt;; &lt;Ftp://; &lt;;
the pgp signature files are:
&lt;; &lt;; &lt;;
the md5 checksums are:

MD5 (bind-contrib.tar.gz) = 454f8e3caf1610941a656fcc17e1ecec MD5 (bind-contrib.tar.gz.asc) = f8f0a5b8985a8180e5bd02207f319980 MD5 (bind-doc.tar.gz) = fcfdaaa2fc7d6485b0e3d08299948bd3 MD5 (bind-doc.tar.gz.asc) = fc0671468c2e3a1e5ff817b69da21a6b MD5 (bind-src.tar.gz) = e78610fc1663cfe8c2db6a2d132d902b MD5 (bind-src.tar.gz.asc) = 40453b40819fd940ad4bfabd26425619
Windows NT / Windows 2000 binary distribution.
&lt;; &lt;; &lt;;
&lt;; &lt;; &lt;;
the md5 checksums are:
MD5 (readme1st.txt) = ac4ce260f151dc1ab393c145f4288bba MD5 ( = 7c3e333f90edbe3820952a62ff6ffdf3 MD5 ( = f2190cc390ce584c0cc624835bdcc8eb
MD5 (readme1sttools.txt) = eef4c5782be1a1faac3ca0c756eaef05 MD5 ( = 8cb29c092394dfa430ef9ea47b6a02ea MD5 ( = a77b2adb1f23db780f45efee32a92882
top of CHANGES says:
--- 8.4.3 released --- (Mon Nov 24 17:27:52 PST 2003)
1617.[cleanup]don't pre-fetch missing additional address records if we have one of A/AAAA.

1616.[func]turn on "preferred-glue A;" (if not specified in named.conf) if the answer space is a standard UDP message size or smaller.

1615.[func]when query logging log whether TSIG (T) and/or EDNS (E) was used to make the query.

1614.[cleanup]on dual (IPv4+IPv6) stack servers delay the lookup of missing glue if we have glue for one family.

1613.[cleanup]notify: don't lookup A/AAAA records for nameservers if we don't support the address at the transport level.

1612.[func]named now takes arguements -4 and -6 to limit the IP transport used for making queries.

1611.[debug]better packet tracing in debug output (+ some lint).
1610.[bug]don't explictly declare errno use &lt;errno.h&gt;.
1609.[bug]drop_port() was being called with ports in network order rather than host order.

1608.[port]sun: force alignment of answer in dig.c.
1607.[bug]do not attempt to prime cache when recursion and fetch-glue are disabled.

1606.[bug]sysquery duplicate detection was broken when using forwarders.

1605.[port]sun: force alignment of newmsg in ns_resp.c.
1604.[bug]heap_delete() sometimes violated the heap invariant, causing timer events not to be posted when due.

1603.[port]ds_remove_gen() mishandled removal IPv6 interfaces.
1602.[port]linux: work around a non-standard __P macro.
1601.[bug]dig could report the wrong server address on transfers.
1600.[bug]debug_freestr() prototype mismatch.
1599.[bug]res_nsearch() save statp-&gt;res_h_errno instead of h_errno.

1598.[bug]dprint_ip_match_list() fails to print the mask correctly.

1597.[bug]use the actual presentation length of the IP address to determine if sprintf() is safe in write_tsig_info().

--- 8.4.2 released --- (Thu Sep 4 06:58:22 PDT 2003)
1596.[port]winnt: set USELOOPBACK in port_after.h
1595.[bug]dig: strcat used instead of strcpy.
1594.[bug]if only a single nameserver was listed in resolv.conf IPv6 default server was also being used.

1593.[port]irix: update port/irix/irix_patch.
1592.[port]irix: provide a sysctl() based getifaddrs() implementation.

1591.[port]irix: sa_len is a macro.
1590.[port]irix: doesn't have msg_control (NO_MSG_CONTROL)
1589.[port]linux: uninitalised variable.
1588.[port]solaris: provide ALIGN.
1587.[port]NGR_R_END_RESULT was not correct for some ports.
1586.[port]winnt: revert to old socket behaviour for UDP sockets (Windows 2000 SP2 and later).

1585.[port]solaris: named-xfer needs &lt;fcntl.h&gt;.
1584.[port]bsdos: explictly include &lt;netinet6/in6.h&gt; for 4.0 and 4.1.

1583.[bug]add -X to named-xfer usage message.
1582.[bug]ns_ownercontext() failed to set the correct owner context for AAAA records. ns_ptrcontext() failed to return the correct context for IP6.ARPA.

1581.[bug]apply anti-cache poison techniques to negative answers.

1580.[bug]inet_net_pton() didn't fully handle implicit multicast IPv4 network addresses.

1579.[bug]ifa_addr can be NULL.
1578.[bug]named-xfer: wrong arguement passed to getnameinfo().
1577. [func] return referrals for glue (NS/A/AAAA) if recursion is not desired (hp-&gt;rd = 0).

1576.[bug]res_nsendsigned() incorrectly printed the truncated UDP response when RES_IGNTC was not set.

1575.[bug]tcp_send() passed the wrong length to evConnect().
1574.[bug]res_nsendsigned() failed to handle truncation cleanly.

1573.[bug]tsig_size was not being copied by ns_forw().
1572.[port]bsdos: missing #include &lt;ifaddrs.h&gt;.
1571.[bug]AA was sometimes incorrectly set.
1570.[port]decunix: change #1544 broke OSF1 3.2C.
1569.[bug]remove extraneous closes.
1568.[cleanup]reduce the memory footprint for large numbers of zones.

1567.[port]winnt: install MSVC70.DLL and MFC70.DLL.
1566.[bug]named failed to locate keys declared in masters clause.

1565.[bug]named-xfer was failing to use TSIG.
1564.[port]linux: allow static linkage to work.
1563.[bug]ndc getargs_closure failed to NUL terminate strings.
1562.[bug]handle non-responsive servers better.
1561.[bug]rtt estimates were not being updated for IPv6 addresses.

1560.[port]linux: add runtime support to handle old kernels that don't know about msg_control.

1559.[port]named, named-xfer: ensure that stdin, stdout and stderr are open.

--- 8.4.1-P1 released --- (Sun Jun 15 17:35:10 PDT 2003)
1558.[port]sunos4 doesn't have msg_control (NO_MSG_CONTROL).
1557.[port]linux: socket returns EINVAL for unsupported family.
1556.[bug]reference through NULL pointer.
1555.[bug]sortlist wasn't being applied to AAAA queries.
1554.[bug]IPv4 access list elements of the form number/number (e.g. 127/8) were not correctly defined.

1553.[bug]getifaddrs*() failed to set ifa_dstaddr for point to point links (overwrote ifa_addr).

1552.[bug]buffer overruns in getifaddrs*() if the server has point to point links.

1551.[port]freebsd: USE_IFNAMELINKIDS should be conditionally defined.

1550.[port]TruCluster support didn't build.
1549.[port]Solaris 9 has /dev/random.
--- 8.4.1-REL released --- (Sun Jun 8 15:11:32 PDT 2003)
1548.[port]winnt: make recv visible from libbind.
1547.[port]cope with spurious EINVAL from evRead.
1546.[cleanup]dig now reports version 8.4.
1545.[bug]getifaddrs_sun6 was broken.
1544.[port]hpux 10.20 has a broken recvfrom(). Revert to recv() in named-xfer and work around deprecated recv() in OSF.

1543.[bug]named failed to send notifies to servers that live in zones it was authoritative for.

1542.[bug]set IPV6_USE_MIN_MTU on IPv6 sockets if the kernel supports it.

1541.[bug]getifaddrs_sun6() should be a no-op on early SunOS releases.

--- 8.4.0-REL released --- (Sun Jun 1 17:49:31 PDT 2003) BIND 8.3.7 Release

BIND 8.3.7 is a security release of BIND 8.3. This is expected to be the last release of BIND 8.3 except for security issues.
The recommended version to use is BIND 9.2.3. If for whatever reason you must run BIND 8, use nothing earlier than 8.3.7-REL, 8.4.2-REL. Do not under any circumstances run BIND 4.
Highlights vs. 8.3.6 Security Fix: Negative Cache Poison Fix.

Highlights vs. 8.3.5 Maintenance release.

Highlights vs. 8.3.4 Maintenance release.

Highlights vs. 8.3.3 Security Fix DoS and buffer overrun.

Highlights vs. 8.3.2 Security Fix libbind. All applications linked against libbind need to re-linked. 'rndc restart' now preserves named's arguments

Highlights vs. BIND 8.3.1: dig, nslookup, host and nsupdate have improved IPv6 support.

Highlights vs. BIND 8.3.0:
Critical bug fix to prevent DNS storms. If you have BIND 8.3.0 you need to upgrade.

the distribution files are:
&lt;; &lt;; &lt;;
the pgp signature files are:
&lt;; &lt;; &lt;;
the md5 checksums are:
MD5 (bind-contrib.tar.gz) = 89009ee8d937cd652a77742644772023 MD5 (bind-contrib.tar.gz.asc) = 3b91ed818771d21aa37c3ecc4685ba9d MD5 (bind-doc.tar.gz) = b7ccbde30d8c43202eabf61a51366852 MD5 (bind-doc.tar.gz.asc) = 333f80ec3d12ef7fc27a19ba2f9a9be0 MD5 (bind-src.tar.gz) = 36cc1660eb7d73e872a1e5af6f832167 MD5 (bind-src.tar.gz.asc) = 50a45b11e12441142d6eac423c5d01c7
Windows NT / Windows 2000 binary distribution.
There will be no Windows binary release of BIND 8.3.7. The current Windows binary release is BIND 8.4.3.

top of CHANGES says:
--- 8.3.7-REL released --- (Wed Sep 3 21:01:37 PDT 2003)
1581.[bug]apply anti-cache poison techniques to negative answers.

--- 8.3.6-REL released --- (Sun Jun 8 15:11:32 PDT 2003)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

NetBSD __ Affected

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

NetBSD (1.6, 1.6.1 and current) is shipping with vulnerable version of BIND 8. We will upgrade to either 8.3.7 or 8.4.2 as soon as ISC releases the info to the public. Or, users might want to use BIND 9 from pkgsrc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Nixu __ Affected

Notified: October 21, 2003 Updated: November 20, 2003



Vendor Statement

The current versions of Nixu NameSurfer are not affected by this issue as they ship with BIND 9.2.2. However, as NameSurfer Suite and NameSurfer Standard Edition also support all the earlier versions of BIND, Nixu recommends that all organizations operating an existing Nixu NameSurfer installation upgrade their visible nameservers to BIND versions 9.2.1 or newer; BIND9 is compatible with NameSurfer versions 3.0.1 or newer.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

SuSE Inc. __ Affected

Notified: October 21, 2003 Updated: December 01, 2003



Vendor Statement


SUSE Security Announcement
Package: bind8 Announcement-ID: SuSE-SA:2003:047 Date: Friday, Nov 28th 2003 15:30 MEST Affected products: 7.3, 8.0, 8.1, 8.2 Vulnerability Type: cache poisoning/denial-of-service Severity (1-10): 5 SUSE default package: yes Cross References: CAN-2003-0914

`Content of this advisory:

  1. security vulnerability resolved: - caching negative answers
    problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds:
  • ethereal
  • KDE
  • mc
  • apache1/2
  • gpg
  • freeradius
  • xscreensaver
  • screen
  • mod_gzip
  • gnpan 3) standard appendix (further information)
    1) problem description, brief discussion, solution, upgrade information
    To resolve IP addresses to host and domain names and vice versa the
    DNS service needs to be consulted. The most popular DNS software is
    the BIND8 and BIND9 suite. The BIND8 code is vulnerable to a remote
    denial-of-service attack by poisoning the cache with authoritative
    negative responses that should not be accepted otherwise.
    To execute this attack a name-server needs to be under malicious
    control and the victim’s bind8 has to query this name-server.
    The attacker can set a high TTL value to keep his negative record as
    long as possible in the cache of the victim. For this time the clients
    of the attacked site that rely on the bind8 service will not be able
    to reach the domain specified in the negative record.
    These records should disappear after the time-interval (TTL) elapsed.`

There is no temporary workaround for this bug.
To make this update effective run "rcnamed restart" as root please.
Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

Intel i386 Platform:
SuSE-8.2: ``&lt;;
3d44d46f0e8397c69d53e96aba9fbd6d patch rpm(s): ``&lt;;
cce1df09a0b6fb5cbbddcc462f055c64 source rpm(s): ``&lt;;
SuSE-8.1: ``&lt;;
4a46d0560eac1ca5de77c12f8abe4952 patch rpm(s): ``&lt;;
c8020302f6f161e9d86a3f1615304a23 source rpm(s): ``&lt;;
SuSE-8.0: ``&lt;;
f739fdb03a7df6685e0aa026f98a0389 patch rpm(s): ``&lt;;
a3de26e06b689d29b4b4b08c04fa32f4 source rpm(s): ``&lt;;
SuSE-7.3: ``&lt;;
381c2b6f805ca30d0fefc98afaee9ba0 source rpm(s): ``&lt;;

Sparc Platform:
SuSE-7.3: ``&lt;;
c08454b933ed2365d9d2ab1322803af6 source rpm(s): ``&lt;;

PPC Power PC Platform:
SuSE-7.3: ``&lt;;
12f1f205c08449e945c8ad344a8e3b41 source rpm(s): ``&lt;;
2) Pending vulnerabilities in SUSE Distributions and Workarounds:
- ethereal A new official version of ethereal, a network traffic analyzer, was released to fix various security-related problems. An update package is currently being tested and will be released as soon as possible.

- KDE New KDE packages are currently being tested. These packages fixes several vulnerabilities:
`+ remote root compromise (CAN-2003-0690)

  • weak cookies (CAN-2003-0692)
  • SSL man-in-the-middle attack
  • information leak through HTML-referrer (CAN-2003-0459)
  • wrong file permissions of config files The packages will be release as soon as testing is finished.
    - mc
    By using a special combination of links in archive-files it is possible
    to execute arbitrary commands while mc tries to open it in its VFS.
    The packages are currently tested and will be release as soon as

- apache1/2 The widely used HTTP server apache has several security vulnerabilities:
- locally exploitable buffer overflow in the regular expression code. The attacker must be able to modify .htaccess or httpd.conf. (affects: mod_alias and mod_rewrite)
- under some circumstances mod_cgid will output its data to the wrong client (affects: apache2)
The new packages are available on our FTP servers.

- gpg In GnuPG version 1.0.2 a new code for ElGamal was introduced. This code leads to an attack on users who use ElGamal keys for signing. It is possible to reconstruct the private ElGamal key by analyzing a public ElGamal signature. Please note that the ElGamal algorithm is seldomly used and GnuPG displays several warnings when generating ElGamal signature keys. The default key generation process in GnuPG will create a DSA signature key and an ElGamal subkey for _encryption only_. These keys are not affected by this vulnerability. Anyone using ElGamal signature keys (type 20, check fourth field of "gpg --list-keys --with-colon" output) should revoke them.

- freeradius Two vulnerabilities were found in the FreeRADIUS package. The remote denial-of-service attack bug was fixed and new packages will be released as soon as testing was successfully finished. The other bug is a remote buffer overflow in the module rlm_smb. We do not ship this module and will fix it for future releases.

- xscreensaver The well known screen-saver for X is vulnerable to several local tmp file attacks as well as a crash when verifying a password. Only SuSE Linux 9.0 products are affected. The new packages are available on our FTP servers.

- screen A buffer overflow in screen was reported. Since SuSE Linux 8.0 we do not ship screen with the s-bit anymore. An update package will be released for 7.3 as soon as possible.

- mod_gzip The apache module mod_gzip is vulnerable to remote code execution while running in debug-mode. We do not ship this module in debug-mode but future versions will include the fix.

- gnpan A remote denial-of-service attack can be run against the GNOME news-reader program gnpan. This bug affects SuSE Linux 8.0, 8.1, 8.2. Update packages are available on our FTP servers.

3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
`SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:

  1. md5sums as provided in the (cryptographically signed) announcement.
  2. using the internal gpg signatures of the rpm package.`

1) execute the command md5sum &lt;name-of-the-file.rpm&gt;
after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key [email protected]), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command
rpm -v --checksig &lt;file.rpm&gt; to verify the signature of the package, where &lt;file.rpm&gt; is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
a) gpg is installed b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root):
gpg --batch; gpg &lt; announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "[email protected]" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ``&lt;;`` .

- SUSE runs two security mailing lists to which any interested party may subscribe:

`[email protected]

  • general/linux/SUSE security discussion. All SUSE security announcements are sent to this list.
    To subscribe, send an email to <[email protected]>.
    [email protected]
  • SUSE’s announce-only mailing list. Only SUSE’s security announcements are sent to this list.
    To subscribe, send an email to <[email protected]>.
    For general information or the frequently asked questions (faq)
    send mail to: <[email protected]> or
    <[email protected]> respectively.`

===================================================================== SUSE's security contact is &lt;[email protected]&gt; or &lt;[email protected]&gt;. The &lt;[email protected]&gt; public key is listed below. =====================================================================
The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team &lt;[email protected]&gt; pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key &lt;[email protected]&gt;
- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see ``&lt;;``
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH

    Version: GnuPG v1.0.7 (GNU/Linux)
    -----END PGP SIGNATURE-----
    Thomas Biege <[email protected]>, SUSE LINUX AG, Security Support & Auditing “lynx -source &lt;; | pgp -fka”
    Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83
    … stay with me, safe and ignorant, go back to sleep… - Maynard James Keenan

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Sun Microsystems Inc. __ Affected

Notified: October 21, 2003 Updated: December 01, 2003



Vendor Statement

All supported releases of Solaris (ie Solaris 7, 8 and 9) are affected by this issue. We have published a Sun Alert which is available from: ``&lt;http://sunsolve.Sun.COM/pub-cgi/;``

It describes a possible workaround that can be used until official patches are released.
Supported Cobalt platforms and Sun Linux 5.0 are also affected. A Sun Alert will be published and will be available from: ``&lt;http://sunsolve.Sun.COM/pub-cgi/;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

The SCO Group (SCO UnixWare) __ Affected

Notified: October 21, 2003 Updated: December 03, 2003



Vendor Statement

UnixWare 7.1.3: Unaffected current version of bind is 9.2.1.
Open UNIX 8.0.0 (aka UnixWare 7.1.2) Unaffected current version of bind is 9.2.0.
UnixWare 7.1.1: Affected. Fix will be at

OpenServer: fix in-progress

OpenLinux: also fix in-progress

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.



SCO Security Advisory
`Subject:UnixWare 7.1.1 : Bind: cache poisoning BIND 8 prior to 8.3.7 and BIND 8.4.x prior 8.4.2
Advisory number: CSSA-2003-SCO.33
Issue date: 2003 December 01
Cross reference: sr886768 fz528464 erg712479 CAN-2003-0914


1. Problem Description
UnixWare 7.1.3 is unaffected by this issue because the version of bind included in UnixWare 7.1.3 is 9.2.1.

Open UNIX is also unaffected by this issue because the version of bind in Open UNIX 8.0.0 is 9.1.0.

CERT/CC Incident Note VU#734644
BIND is an implementation of the Domain Name System (DNS) protocols. Successful exploitation of this vulnerability may result in a temporary denial of service.

The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2003-0914 to this issue.

2. Vulnerable Supported Versions

UnixWare 7.1.1 /usr/sbin/addr /usr/sbin/dig

3. Solution
The proper solution is to install the latest packages.

4. UnixWare 7.1.1
4.1 Location of Fixed Binaries

4.2 Verification
MD5 (erg712479.Z) = c1faea2a6a1da952e88c5123f88a2f89
md5 is available for download from &lt;;

4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Unknown installation method

5. References
Specific references for this advisory: &lt;;

SCO security resources: &lt;;

This security fix closes SCO incidents sr886768 fz528464 erg712479.

6. Disclaimer
SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)
iD8DBQE/y8gZaqoBO7ipriERAkRQAKCQ+f4Q5Etfz8L83tr/vGGRzI1kYQCgl/hK g7YQSKd9TDnf59KkuFTbrBQ= =XyVk -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Trustix Secure Linux __ Affected

Updated: December 01, 2003



Vendor Statement

Please see &lt;;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.



- -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2003-0044
Package name: bind Summary: negative cache sec. fix Date: 2003-11-27 Affected versions: TSL 1.2, 1.5
- -------------------------------------------------------------------------- Package description:
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, and a resolver library (routines for applications to use when interfacing with DNS). A DNS server allows clients to name resources or objects and share the information with other network machines. The named DNS server can be used on workstations as a caching name server, but is generally only needed on one machine for an entire network. Note that the configuration files for making BIND act as a simple caching nameserver are included in the caching-nameserver package.Install the bind package if you need a DNS server for your network. If you want bind to act a caching name server, you will also need to install the caching-nameserver package.

Problem description: According the the bind announcment dated Thu, 27 Nov 2003, the new upstream bind 8.3.7 fixes a security problem:

Security Fix: Negative Cache Poison Fix.
This issue has been addressed in these updates.

Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system.

Location: All TSL updates are available from &lt;URI:``&lt;;``&gt; &lt;URI:``&lt;;``&gt;

About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater.

Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'.

Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at &lt;URI:``&lt;;``&gt;

You may also use swup for public testing of updates:
site { class = 0 location = "``&lt;;``" regexp = ".*"

Questions? Check out our mailing lists: &lt;URI:``&lt;;``&gt;

Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: &lt;URI:``&lt;;``&gt;

The advisory itself is available from the errata pages at &lt;URI:``&lt;;``&gt; and &lt;URI:``&lt;;``&gt; or directly at &lt;URI:``&lt;;``&gt;

`MD5sums of the packages:

0e109cf7c3ec04f6adfbd3dddcbc94d3 ./1.5/srpms/bind-8.2.6-3tr.src.rpm
b353b0517f50b18c6f2bb180151ad671 ./1.5/rpms/bind-utils-8.2.6-3tr.i586.rpm
872ed56a159fa9e8404e30c6f6afdce0 ./1.5/rpms/bind-devel-8.2.6-3tr.i586.rpm
ade76318032b7a95f2426edcf10e75a8 ./1.5/rpms/bind-8.2.6-3tr.i586.rpm
0e109cf7c3ec04f6adfbd3dddcbc94d3 ./1.2/srpms/bind-8.2.6-3tr.src.rpm
dd01d1afce4afd60b08857706f2150ee ./1.2/rpms/bind-utils-8.2.6-3tr.i586.rpm
590118f78a8cddbaf8dc8c142ef57cb3 ./1.2/rpms/bind-devel-8.2.6-3tr.i586.rpm
ca631fbe974a6926c8ba32b46c3ac7d4 ./1.2/rpms/bind-8.2.6-3tr.i586.rpm


TSL Security Team
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/xcQCi8CEzsK9IksRArTyAKCpbt7Z0zr7l/liVtKbiuGOQjBBXACgk74q RpVcOV3YngzwUxZcJLdDuls= =PazY -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Check Point __ Not Affected

Notified: October 21, 2003 Updated: October 27, 2003


Not Affected

Vendor Statement

Check Point products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Cray Inc. __ Not Affected

Notified: October 21, 2003 Updated: November 17, 2003


Not Affected

Vendor Statement

Cray Inc. is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Hitachi __ Not Affected

Notified: October 21, 2003 Updated: November 25, 2003


Not Affected

Vendor Statement

Hitachi HI-UX/WE2 is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Juniper Networks __ Not Affected

Notified: October 21, 2003 Updated: December 03, 2003


Not Affected

Vendor Statement

No Juniper Networks products contain this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

MandrakeSoft __ Not Affected

Notified: October 21, 2003 Updated: November 17, 2003


Not Affected

Vendor Statement

No MandrakeSoft products are affected by this as we ship BIND9 in all of our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Nominum __ Not Affected

Notified: October 21, 2003 Updated: November 17, 2003


Not Affected

Vendor Statement

Nominum products are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Red Hat Inc. __ Not Affected

Notified: October 21, 2003 Updated: November 17, 2003


Not Affected

Vendor Statement

Red Hat ships Bind 9 in all our supported distributions and therefore we are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

SGI __ Not Affected

Notified: October 21, 2003 Updated: November 17, 2003


Not Affected

Vendor Statement

SGI acknowledges VU#734644 reported by CERT and has determined that both SGI IRIX for MIPS systems and SGI ProPack Linux for Altix (IA64) are not vulnerable as BIND 8 does not ship with SGI IRIX or ProPack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

adns __ Not Affected

Notified: October 21, 2003 Updated: November 20, 2003


Not Affected

Vendor Statement

adns is not a nameserver and has no cache. It is not vulnerable to these kinds of problems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

BSDI Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

BlueCat Networks Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Conectiva Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Debian Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

EMC Corporation Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Fujitsu Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

IBM eServer __ Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to <; and follow the steps for registration.

All questions should be referred to [email protected].

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Ingrian Networks Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Lucent Technologies Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Men&Mice Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

MetaSolv Software Inc. Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

MontaVista Software Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

NEC Corporation Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Nokia Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Nortel Networks Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Novell Unknown

Notified: November 17, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Openwall GNU/*/Linux Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Sequent Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Sony Corporation Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

The SCO Group (SCO Linux) Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Unisys Unknown

Notified: October 21, 2003 Updated: October 21, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Wind River Systems Inc. Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

Wirex Unknown

Notified: October 21, 2003 Updated: November 17, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23734644 Feedback>).

View all 45 vendors __View less vendors __

CVSS Metrics

Group Score Vector



The CERT/CC thanks the Internet Software Consortium for bringing this vulnerability to our attention.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2003-0914
Severity Metric: 1.50 Date Public:



Attack Vector


Attack Complexity




Confidentiality Impact


Integrity Impact


Availability Impact





