DNS flaws called overblown by researcher
July 14th, 2008 by Robert Westervelt
A widely respected reverse software engineer says the alarm over the flaws in Domain Name Servers (DNS) is overblown.
Researcher Halvar Flake said that anyone who uses the internet should assume that the DNS gateway is already a haven for attackers.
“That is why we have SSL, that is why we have certificates, that is why SSH tells you when the host key changes,” Flake said in a post on his blog. “DNS can never be trusted - you always have to assume that your ISP’s admin runs a broken file sharing server on the same box with BIND.”
Flake is the creator of BinDiff, a command-line tool that helps researchers conduct binary differential analysis to detail the differences between two binaries. He called security researcher Dan Kaminsky’s discovery of a serious flaw in the implementation of the DNS protocol good work, but added that there have been much worse problems in recent memory.
In an announcement last week, Kaminsky called the DNS flaw a threat to every system that connects to the Internet. The flaw opens DNS servers to cache poisoning, which allows an attacker to redirect Internet traffic and potentially steal sensitive data, such as credit card numbers and personally identifiable information.
The flaw was a design issue that couldn’t be addressed by a single vendor. As a result, a number of DNS vendors issued a coordinated release of updates to address the issue.
Kaminsky addressed the skepticism of some researchers in his DoxPara Research blog. Kaminsky provided details of the flaw to security researchers Thomas Ptacek and Dino Dai Zovi. Both researchers called the DNS issue way more serious than they imagined.
“Nobody reading this can know if I was right or not, because (almost) nobody knows the bug,” Kaminsky said.
Kaminsky said he will release details of the flaw at the Black Hat 2008 conference on Aug. 7 and 8 in Las Vegas.
全球DNS曝出重大漏洞 各大IT厂商联手应对 (1)
发布时间:2008.07.15 07:28 来源:赛迪网 作者:kaduo
【赛迪网-IT技术报道】DNS协议是TCP/IP协议组的一部分,允许DNS客户端查询DNS数据库将主机名解析为IP地址。出于与处理DNS查询相关的处理时间和带宽考虑,大多数DNS服务器都会本地存储从其他DNS服务器所接收到的响应,存储这些响应的区域被称为缓存。
发布日期:2008-07-08
更新日期:2008-07-10
受影响系统:
Cisco IOS 12.4
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
ISC BIND 9.5.x
ISC BIND 9.4.x
ISC BIND 9.3.x
ISC BIND 9.2.x
ISC BIND 8.x.x
Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 SP1
Microsoft Windows 2000SP4
Sun Solaris 9.0_x86
Sun Solaris 9.0
Sun Solaris 8.0_x86
Sun Solaris 8.0
Sun Solaris 10.0_x86
Sun Solaris 10.0
Cisco Network Registrar 7.0.x
Cisco Network Registrar 6.3.x
Cisco Network Registrar 6.1.x
Cisco Network Registrar
Cisco ACNS 5.5
描述:
----------------------------------------------------------------------------
BUGTRAQ ID: 30131
CVE(CAN) ID: CVE-2008-1447
DNS协议是TCP/IP协议组的一部分,允许DNS客户端查询DNS数据库将主机名解析为IP地址。
出于与处理DNS查询相关的处理时间和带宽考虑,大多数DNS服务器都会本地存储从其他DNS服务器所接收到的响应,存储这些响应的区域被称为缓存。一旦将响应存储到了缓存,DNS服务器就可以在再次查询DNS服务器以刷新本地缓存的响应拷贝之前的一段时间(被称为存活时间)使用本地存储的响应。
DNS缓存中毒攻击指的是更改了DNS服务器的DNS缓存中某项,这样缓存中与主机名相关的IP地址就不再指向正确的位置。例如,如果www.example.com映射到IP地址192.168.0.1且DNS服务器的缓存中存在这个映射,则成功向这个服务器的DNS缓存投毒的攻击者就可以将www.example.com映射到10.0.0.1。在这种情况下,试图访问www.example.com的用户就可能与错误的Web服务器联络。
DNS协议实现规范中包括一个16位的事件ID字段。如果正确地实现了这个规范且通过强随机数生成器随机的选择事件ID的话,攻击者就需要平均32,768次尝试才能成功的预测到这个ID。但由于协议实现中的弱点,用于验证DNS响应的DNS事件ID和源端口号随机性不够强,可以轻易的预测,这就允许攻击者创建匹配期望值的DSN请求伪造响应,而DNS服务器会认为该响应有效,因此简化了缓存中毒攻击。
成功利用这个漏洞可能导致DNS服务器的用户联络错误的网络服务供应商,最终的影响各不相同,从简单的拒绝服务到网络钓鱼和金融诈骗。
建议:
----------------------------------------------------------------------------
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20080708-dns)以及相应补丁:
cisco-sa-20080708-dns:Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
Debian
------
Debian已经为此发布了一个安全公告(DSA-1603-1)以及相应补丁:
DSA-1603-1:New bind9 packages fix cache poisoning
链接:http://www.debian.org/security/2008/dsa-1603
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.dsc
Size/MD5 checksum: 897 aeb15f8babb1e6e38367b9f19fea87da
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4.orig.tar.gz
Size/MD5 checksum: 4043577 198181d47c58a0a9c0265862cd5557b0
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.diff.gz
Size/MD5 checksum: 302126 521abea46b1104f2251cc398f30af303
Architecture independent packages:
http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.3.4-2etch3_all.deb
Size/MD5 checksum: 189560 46ff778db82d2e171d292ecac93ea9b6
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 98154 bbdbcd3d0840f5ffcf4eaddf5a8c253f
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 1407380 ca8995875e76a25de6f32a47f62ea876
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 226088 93100774ae6da891caf9fa27a2134cdf
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 112616 bca5dcca8abff15f4f9cc911f9f94818
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 322286 677fdcf8e9a8c272a08ed47a79e09209
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 190084 87d64554a1cdde9f58cc850f7d5961a1
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 96508 48ba9fc0e884f093e95988bd4e088b9c
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 564862 7b23948d7c741d4f287698d28385ce71
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 188742 5dd8024a9864137f4529785fcc9c9231
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 116534 2e7dc9ea95bae40dc396ff504abb03bb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_alpha.deb
Size/MD5 checksum: 115784 b961fd6c797a2d1422ae588bfc25ed9d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 224294 4d33744bb92300b061cad41dd8de7ea5
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 1111932 e43ced7eae496d7835247a068bef4a66
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 190742 9e39ced5d3464594b9dda6ce683fc653
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 319008 e36a35983ebc5061e8669ef7f004a851
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 552414 c93c2863bddd5661010ae3472e210aa8
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 95922 f114eb76add0d7dabad1d082d38ccf08
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 117072 a70d1d96ea01aa24fb9642e09133824f
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 187646 70372cec3522356dcd00901ea64714d4
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 111270 6dc6edfcca9fecb28c7e66d31ab14a74
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 114722 905d0f9b7b5ebc0308c54158e71d03cc
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_amd64.deb
Size/MD5 checksum: 96704 09d3c850f12a6c1f6eab4e800a118c87
arm architecture (ARM)
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 107888 b2ea4933e233a1af8dd1e5ee641999a2
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 112714 27b1fde9b144cacb1ae06a441d7c5787
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 116076 cafc3294083de02518ab5fe0f0488c3b
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 532206 a005bdff779fed950e4750231d0184b2
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 187364 72fdca60a20876be71b678028cefc316
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 95752 bce98b259a2821d59f6e6b441b491d77
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 182950 26a15d51a4e6f1ea1dda99ab4d3ea34c
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 217686 97f538e27ab7c765b514a9ce59869a41
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 95168 374d7f18915fc8eb6b775d272cf28f2e
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 1074498 fdada51888027e9c3e89961b31a48ded
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_arm.deb
Size/MD5 checksum: 311078 43d1c044b0cc81b072b8962ad3b8f019
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 96986 bba6d0a611b7088e284564b430f91405
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 97140 14f3dacd102208700660873637dea18b
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 185570 012eb78b091c0991988a95160df7d65d
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 115822 d717418b7ec770e5419e0941670eab19
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 543342 201331119c074430d503b68dc210e187
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 1258146 2f092d0708338d0a3ac8924218fee0d7
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 315070 bc8d94bec7b1c8cf80f64fb72d1f38e5
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 187942 1cd85afac13850d1807a5b50b9d3262f
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 114612 912dc2007ca7cb6097a3e6a4e98897e3
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 217378 49276452262a155ba17db2ad8c66e3e2
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_hppa.deb
Size/MD5 checksum: 113466 428d268ce8ad5386c1af758ca4cff2ce
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 106034 ce4d4a024472317185d4c6492b7d30df
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 180292 1fd02a86a31b68a8db2407904495a0db
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 94838 9dbc2734dd8b8bb7c3e7684faabea64e
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 206330 a22fb6cb47d6e449007d665b9e6d8c52
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 113162 b9bc5fa7f96313235a53ab6fd819b58b
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 472708 9edfb07c186a93aea1a2e602e0ee6335
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 94822 d2fc00416dc090a535b280f48eee7f46
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 169930 47c43c9738afb7ed72618930dc702ed3
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 296722 dd1979969210386fc36d119e19e12cc2
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 996528 56db22ee21e053443e72ccd11a25181b
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_i386.deb
Size/MD5 checksum: 110134 5491e4e33e43f1300840b62947690b7a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 232052 eb9215cb2ba71ded815b4ca6f0ac0744
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 99978 ceee4c1dc16fdf2d7fefe1aee6d8dd85
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 393324 553b67ca638482db8e1586d231f03abe
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 740264 a30c98b25296a147d47d7f44c8418883
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 127606 33d62368c2ce437e660708eb6b0ffe2b
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 216344 0a0b33f34dbeb744bd8af8ad8388048f
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 125806 3aafce71b9e4ecaf01602c409a355b54
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 1584302 d982b4443c38056cdeb80b327ee36f3a
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 117782 ae8ae735a8054ff473d305b06c90c68a
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 102432 4443f6e43cc1e4c7448965a0501bfe54
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_ia64.deb
Size/MD5 checksum: 280866 c20244c3a06177b934ac804b382b85c7
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 174012 cf61e15aa7c79b40ae94a3c1d08ba496
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 301476 4094fd919da162322ea07d62378cc664
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 110326 be73e626902012ca986d4192804017e7
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 180490 dde7f37a0a2456190461f5f26bf30ab6
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 1229398 37af92bf5074d9a260fd4ff5346dc4b8
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 211386 8083484e19ebc9099022954350c6baf7
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 94992 46f858e2ed33a864539476d25bd9b44f
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 94230 6bfa6b8d78c46567a341f6174f9aa874
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 491862 fc2d747a29c0116da5936b4964ef8146
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 113268 58fb17d2ee0415e13fdad4727534b6cc
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mips.deb
Size/MD5 checksum: 107912 5834642a56bb9548510f8cd0a3ae766f
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 299514 0b5de102f7ddf83d497498b320613556
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 488260 7b85b99ea5c24f74e531bbd9056672e9
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 1205384 a3211957988d4aaae40776ff41cf6a01
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 113016 dddd0a37c778cd68696318a7adc1abcd
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 110254 6754bc57fcac807b5569531f7e821802
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 174148 23e91bbb42a44ca80535079660813277
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 179630 fa26c51aa248cb502ac54544bdd6ced0
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 210904 21784fc7019a384e78ecc94a10f4e315
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 94936 2068abe2f2e78675ad94ea28579efc87
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 107166 2cfce41a4fc41aa9986cdef01e09705d
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mipsel.deb
Size/MD5 checksum: 94098 c95a157cfa3feef62450afdef3fe65a8
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 173606 9618a781d59f94f751e18db86cf6b948
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 112276 e786724068250eb53c475a3e51035d51
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 113842 4961da1e75c17f3f00621acfc06d10fe
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 488428 b777fc3fe13b319817f955f116b40e83
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 1167832 75f402f7bf328da5deee364f4266558d
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 96204 57ec688c7f24161e347054dc93fbd757
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 96170 77d5b9189a05f2b3dca7901bff6e56df
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 301276 dddf71278c1f4afbbc49019248f4328e
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 109288 8fd2b3005fcf95e3616ec8a77b3ad322
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 183310 b9eb85b58aaf29a3106d16410c0d379a
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_powerpc.deb
Size/MD5 checksum: 206830 b286690dde8d1412c2de3fa99f7d3c5b
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 114234 23a30b0e26db0210a1be48c4d44b6d7f
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 331864 7c3fab929f1e29873ecfc7c7c4b52ddc
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 116656 8abeeeb22e800f63e4b30e0c2dd974e0
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 1137342 820a17acdc24ef1dd0c1db7b8e6fc470
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 233948 635487d4e6ea4d15704bb14b8cf9236c
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 196598 2198086ee8c358aa3ed5046708a31f45
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 194704 c897d956b11161ae8e31e4bffb489883
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 118140 e5e11d59852a32dcd1b78b4aabd22fff
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 95664 050d558c3d06e520fb4e6c6cebd520c3
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 579484 6fc80f5cde0c2d01b49ae53f027eeecc
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_s390.deb
Size/MD5 checksum: 97786 5dda64259aa80e1c2e085e7fc2430299
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 300090 21095a9477d8db8bdbca300235ddc296
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 210606 8bd074b427b5f732c5584ca265bb2c28
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 1121664 2750abf3a8e3ffa54d1b15f6a5b6738e
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 94822 4e2634cf2561a237174a6863377b24cd
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 175248 4231a2791083fc82977535613d38ef2a
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 184036 aea98952994fb97c74df02ae4ed2f28d
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 107574 b6a3a3204c134d54dce2d8d79f77f647
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 493628 b5c5a9638091fd0d6543a405bfdefd53
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 94828 4657a6a42f7f2fac5ef96d273e9de4df
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 114258 32f88744a6e6e648377dda42ff910cbb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_sparc.deb
Size/MD5 checksum: 111158 a59dbf1edb5518b09b2993049922c01a
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS08-037)以及相应补丁:
MS08-037:Vulnerabilities in DNS Could Allow Spoofing (953230)
链接:http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx?pf=true
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2008:0533-01)以及相应补丁:
RHSA-2008:0533-01:Important: bind security update
链接:https://www.redhat.com/support/errata/RHSA-2008-0533.html
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-239392)以及相应补丁:
Sun-Alert-239392:Security Vulnerability in the DNS Protocol may lead to DNS Cache Poisoning
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-239392-1suse {{{Date: Wed, 01 Aug 2007 16:07:35 +0200 From: Ludwig Nussel
--------------------------------------------------------------------------------
BEGIN PGP SIGNED MESSAGE
--------------------------------------------------------------------------------
Hash: SHA1
SUSE Security Announcement
Package: bind, bind9
Announcement ID: SUSE-SA:2007:047 Date: Wed, 01 Aug 2007 14:00:00 +0000 Affected Products: SUSE LINUX 10.0
SUSE LINUX 10.1 openSUSE 10.2
UnitedLinux 1.0 SuSE Linux Enterprise Server 8 SuSE Linux Openexchange Server 4 SuSE Linux Standard Server 8 SuSE Linux School Server SUSE LINUX Retail Solution 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SUSE Linux Enterprise Server 10 SP1
Vulnerability Type: DNS cache poisoning Severity (1-10): 4 SUSE Default Package: no Cross-References: CVE-2007-2926
Content of This Advisory:
1) Security Vulnerability Resolved:
bind security update
Problem Description
2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds:
- See SUSE Security Summary Report
6) Authenticity Verification and Additional Information
1) Problem Description and Brief Discussion
Amit Klein found that the random number generator used by the BIND name server to compute DNS query IDs generates predictable values. Remote attackers could exploit this flaw to conduct DNS cache poisoning attacks (CVE-2007-2926).
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of bind after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-9.3.2-56.3.i586.rpm
48abc8f128c76c49e021005ffa37e9ee
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-libs-9.3.2-56.3.i586.rpm
f240048ef7c3534bfc38fec305dd3544
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-utils-9.3.2-56.3.i586.rpm
cebf7e1d7c0c26298a7b30dd0571074c
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/bind-9.3.2-17.18.i586.rpm
0a6d5f40bb95626e04bc090a89011901
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/bind-libs-9.3.2-17.18.i586.rpm
f44c83eb3a7971001c58675dbde639be
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/bind-utils-9.3.2-17.18.i586.rpm
bb311a19785da40e826827b2acfcad72
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-9.3.2-56.3.i586.rpm
a75a13517fe07dda2f3f6def7de206f0
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-devel-9.3.2-56.3.i586.rpm
0745b6d2b41259c86269632a03804372
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-doc-9.3.2-56.3.i586.rpm
14df9b80e49a627f4d5313e9cf95fc97
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-libs-9.3.2-56.3.i586.rpm
9e4ef221bfde5aee6a94c904a98b2fc3
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-lwresd-9.3.2-56.3.i586.rpm
35fc7567db77d89561e991176ff0f6a4
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/bind-utils-9.3.2-56.3.i586.rpm
46fdb7a792c81d8a597ee7bd046a0f65
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/nss_lwres-0.93-6.3.i586.rpm
0cea0ad2440d863eb5082138184e64ad
Power PC Platform: openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/bind-9.3.2-56.3.ppc.rpm
8ba1e6488407ee636e2df2ed28a6e762
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/bind-libs-9.3.2-56.3.ppc.rpm
0c08f744bf7a730b1da5253372689ab9
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/bind-utils-9.3.2-56.3.ppc.rpm
d9ac9c156a8290b7fb36281648a687bb
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/bind-9.3.2-17.18.ppc.rpm
01196536550eb52905def53425a33fdb
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/bind-libs-9.3.2-17.18.ppc.rpm
c89a99c0076346029af97c7d700292b1
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/bind-utils-9.3.2-17.18.ppc.rpm
3065af7b1739cc9c9210ac4c2ea2fb20
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-9.3.2-56.3.ppc.rpm
39fa5b6d2d6d05bf7b7e6ab10a26450b
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-devel-9.3.2-56.3.ppc.rpm
01927c9dba84b552fe4678ea545a0e1f
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-doc-9.3.2-56.3.ppc.rpm
e19c2a378da251d2298b39c8913bbee6
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-libs-9.3.2-56.3.ppc.rpm
e38ecdcbcf9d4c45308d9cc0c6130a50
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-lwresd-9.3.2-56.3.ppc.rpm
c3461c9830feb17ae4152d6c5152b4e1
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/bind-utils-9.3.2-56.3.ppc.rpm
61a09dd2a49b0fc851a75c910c784b45
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/nss_lwres-0.93-6.3.ppc.rpm
4f54b429356e3c3cd63025c828ee7fda
x86-64 Platform: openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-9.3.2-56.3.x86_64.rpm
a6f05877f1e67aa034510787ab4c5eb5
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-libs-32bit-9.3.2-56.3.x86_64.rpm
b425e8ccab18397b345d3a264fb6385e
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-libs-9.3.2-56.3.x86_64.rpm
9802cea2b3e51e15838280d71529543b
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-utils-9.3.2-56.3.x86_64.rpm
5a826a5d01b13ad46825af5ec0be47d9
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-9.3.2-17.18.x86_64.rpm
366c78e6581c683de19367aba4b4ec18
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-libs-32bit-9.3.2-17.18.x86_64.rpm
67d44342aac8bb90cbc30cde05028ef5
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-libs-9.3.2-17.18.x86_64.rpm
d14194bd4c8fd21292e619beb4b45e30
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/bind-utils-9.3.2-17.18.x86_64.rpm
169e61fbf1d14c74f3111129964f5781
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-9.3.2-56.3.x86_64.rpm
abcc76ac1cfde1240debb90bb9a6e4d4
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-devel-9.3.2-56.3.x86_64.rpm
c9d75ab01b6ec59a33ee057761b27689
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-doc-9.3.2-56.3.x86_64.rpm
fb7f24a49961a51038148c3e7ddc02fb
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-libs-32bit-9.3.2-56.3.x86_64.rpm
da1ba6adf8548175c2e2c20f82ac3aea
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-libs-9.3.2-56.3.x86_64.rpm
eefb912d78be2d68336f5ba3e4af7da4
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-lwresd-9.3.2-56.3.x86_64.rpm
68e60bd1dc5f3e7aeef46fb9cde0eb90
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/bind-utils-9.3.2-56.3.x86_64.rpm
bfbbfd8863c5d95ba01b3706b8070ed1
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/nss_lwres-0.93-6.3.x86_64.rpm
d2b01545788cc682d85ccec56a279d63
Sources: openSUSE 10.2:
ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/bind-9.3.2-56.3.src.rpm
38e0184897ace16acfe0c05bdc495db9
SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/bind-9.3.2-17.18.src.rpm
2d3b097dfc202b56b43b9fe32c7e3c32
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/bind-9.3.2-56.3.src.rpm
32e43c29bdcd6fe8de2afd4de2e56918
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/nss_lwres-0.93-6.3.src.rpm
fc699b0b5d8fd0ad309789323dcbab21
Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web:
UnitedLinux 1.0
http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.html
SuSE Linux Openexchange Server 4
http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.html
SuSE Linux Enterprise Server 8
http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.html
SuSE Linux Standard Server 8
http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.html
SuSE Linux School Server
http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.html
SUSE LINUX Retail Solution 8
http://support.novell.com/techcenter/psdb/b90103f8211b22803a126a1781f9c870.html
SUSE Linux Enterprise Server 10 SP1
http://support.novell.com/techcenter/psdb/9661e828c0e56d3297ed6fc60453d1e7.html
SLE SDK 10 SP1
http://support.novell.com/techcenter/psdb/9661e828c0e56d3297ed6fc60453d1e7.html
SUSE Linux Enterprise Desktop 10 SP1
http://support.novell.com/techcenter/psdb/9661e828c0e56d3297ed6fc60453d1e7.html
Open Enterprise Server
http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.html
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.html
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.html
SUSE SLES 9
http://support.novell.com/techcenter/psdb/c9ea0bc14d84824dc2e54f71907d6322.html
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
- See SUSE Security Summary Report
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command
gpg --verify
replacing
gpg: Signature made
where
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list. To subscribe, send an e-mail to
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to
=====================================================================
SUSE's security contact is
The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team