OpenPKG Corporation
OpenPKG CorporationSecuritySecurity Advisories

OpenPKG Security Advisory

OpenPKG-SA-2006.029

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2006.029
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2006.029
Advisory Published:      2008-10-06 16:13 UTC

Issue Id (internal):     OpenPKG-SI-20061104.01
Issue First Created:     2006-11-04
Issue Last Modified:     2006-12-07
Issue Revision:          08



Subject Name:            BIND
Subject Summary:         Berkeley Internet Name Domain (BIND)
Subject Home:            http://www.isc.org/products/BIND/
Subject Versions:        * <= 9.3.2

Vulnerability Id:        CVE-2006-4339
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           local system
Attack Impact:           identity fraud

Description:
    According to a vendor security advisory [0], the DNS server BIND [1]
    (versions up to and including 9.3.2-P1) is vulnerable to the recently
    discovered OpenSSL RSA signature verification problem
    
    BIND uses RSA cryptography as part of its DNSSEC implementation. To
    resolve the security issue, upgrade to the corrected OpenPKG packages
    and for both your KEY and DNSKEY resource record types, generate new
    RSASHA1 and RSAMD5 keys using the "-e" option to dnssec-keygen(8) if
    the current keys were generated using the default exponent of 3. You
    can determine if your keys are vulnerable by looking at the algorithm
    (1 or 5) and the first three characters of the Base64 encoded RSA key.
    RSASHA1 (5) and RSAMD5 (1) keys that start with "AQM", "AQN", "AQO" or
    "AQP" are vulnerable.

References:
    [0] http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445
    [1] http://www.isc.org/sw/bind/



Primary Package Name:    bind
Primary Package Home:    http://openpkg.org/go/package/bind

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Enterprise       E1.0-SOLID        bind-9.3.2-E1.0.0
OpenPKG Community        2-STABLE-20061018 bind-9.3.2-2.20061018
OpenPKG Community        2-STABLE          bind-9.3.2-2.20061018
OpenPKG Community        CURRENT           bind-9.3.2-20061013

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        bind-9.3.2-E1.0.1
OpenPKG Community        2-STABLE-20061018 bind-9.3.2p2-2.20061104
OpenPKG Community        2-STABLE          bind-9.3.2p2-2.20061104
OpenPKG Community        CURRENT           bind-9.3.2p2-20061104
Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
more...

See Also:
OpenPKG Enterprise 1
ChangeLog!

Meta: About | Imprint | Policy | Feedback | Sitemap | Search:
Validation: XHTML | CSS