From security@caldera.com Mon Jun 10 21:37:32 2002 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, scoannmod@xenitec.on.ca Date: Mon, 10 Jun 2002 15:31:35 -0700 Subject: Security Update: [CSSA-2002-SCO.24] Open UNIX 8.0.0 : BIND 9 Denial-of-Service vulnerability To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Open UNIX 8.0.0 : BIND 9 Denial-of-Service vulnerability Advisory number: CSSA-2002-SCO.24 Issue date: 2002 June 10 Cross reference: ______________________________________________________________________________ 1. Problem Description An assertion failure in BIND version 9 can be triggered by certain responses, leading to a denial of service attack. This security fix updates BIND to version 9.2.1. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- Open UNIX 8.0.0 /usr/sbin/dig /usr/sbin/dnssec-keygen /usr/sbin/dnssec-makekeyset /usr/sbin/dnssec-signkey /usr/sbin/dnssec-signzone /usr/sbin/host /usr/sbin/in.named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/ndc /usr/sbin/nslookup /usr/sbin/nsupdate /usr/sbin/rndc 3. Solution The proper solution is to install the latest packages. 4. Open UNIX 8.0.0 4.1 Location of Fixed Binaries ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.24 4.2 Verification MD5 (erg712061.pkg.Z) = 14427a77db777d8d630ca906b27d7582 md5 is available for download from ftp://ftp.caldera.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: Download erg712061.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712061.pkg.Z # pkgadd -d /var/spool/pkg/erg712061.pkg 5. References Specific references for this advisory: http://www.kb.cert.org/vuls/id/739123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0400 Caldera security resources: http://www.caldera.com/support/security/index.html This security fix closes Caldera incidents sr865147, fz521091 and erg712061. 6. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 7. Acknowledgements The Internet Software Consortium discovered and researched this vulnerability. ______________________________________________________________________________ [Part 2, Application/PGP-SIGNATURE 245bytes] [Unable to print this part]