blob: c305283b54e38359f04d348790a92d80e07278b9 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200903-14">
<title>BIND: Incorrect signature verification</title>
Incomplete verification of RSA and DSA certificates might lead to spoofed
records authenticated using DNSSEC.
<product type="ebuild">bind</product>
<announced>March 09, 2009</announced>
<revised>March 09, 2009: 01</revised>
<package name="net-dns/bind" auto="yes" arch="*">
<unaffected range="ge">9.4.3_p1</unaffected>
<vulnerable range="lt">9.4.3_p1</vulnerable>
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
BIND does not properly check the return value from the OpenSSL
functions to verify DSA (CVE-2009-0025) and RSA (CVE-2009-0265)
<impact type="normal">
A remote attacker could bypass validation of the certificate chain to
spoof DNSSEC-authenticated records.
There is no known workaround at this time.
All BIND users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-dns/bind-9.4.3_p1&quot;</code>
<uri link="">CVE-2009-0025</uri>
<uri link="">CVE-2009-0265</uri>
<metadata tag="requester" timestamp="Sun, 11 Jan 2009 17:55:00 +0000">
<metadata tag="submitter" timestamp="Mon, 09 Mar 2009 10:41:33 +0000">
<metadata tag="bugReady" timestamp="Mon, 09 Mar 2009 10:41:40 +0000">