U radu programskog paketa Bind uočeno je više sigurnosnih propusta koji udaljenom napadaču omogućuju napad uskraćivanjem usluga (DoS).

Denial of service vulnerability in BIND

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Fri Jul 15 12:45:23 CDT 2011

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/bind9_advisory2.asc

                           VULNERABILITY SUMMARY

VULNERABILITY:   Denial of service vulnerability in BIND

PLATFORMS:       AIX 5.3, 6.1, and 7.1 releases

SOLUTION:        Apply the fix or workaround as described below.

THREAT:		 A remote attacker can cause a denial of service

CVE Number:      CVE-2010-3614
		 CVE-2010-3613

Reboot required?    NO
Workarounds?        NO

                           DETAILED INFORMATION

I. DESCRIPTION 

    The security status of an NS RRset is not properly determined 
    during a DNSKEY algorithm rollover which can allow a remote 
    attacker to cause a denial of service.

    Signed negative responses and corresponding RRSIG records in
    the cache are not properly handled which can allow a remote 
    attacker to cause a denial of service.

    Please see the following for more information:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

II. PLATFORM VULNERABILITY ASSESSMENT

    Note: To use the following commands on VIOS you must first
    execute:

    oem_setup_env

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L bos.net.tcp.client bos.net.tcp.server

    The following fileset levels are vulnerable:

    AIX Fileset        Lower Level       Upper Level
    ------------------------------------------------
    bos.net.tcp.client    5.3.12.0       5.3.12.4
    bos.net.tcp.server    5.3.12.0       5.3.12.2
    bos.net.tcp.client    6.1.4.0	 6.1.4.10
    bos.net.tcp.server    6.1.4.0	 6.1.4.8
    bos.net.tcp.client    6.1.5.0	 6.1.5.6
    bos.net.tcp.server    6.1.5.0        6.1.5.5
    bos.net.tcp.client    6.1.6.0        6.1.6.15
    bos.net.tcp.server    6.1.6.0        6.1.6.15
    bos.net.tcp.client    7.1.0.0        7.1.0.15
    bos.net.tcp.server    7.1.0.0        7.1.0.15

III. SOLUTION

    A. FIXES

        Fixes are now available.  The fixes can be downloaded from:

        http://aix.software.ibm.com/aix/efixes/security/bind9_ifix2.tar

        The links above are to a tar file containing this signed
        advisory, fix packages, and PGP signatures for each package.

        AIX Level    VIOS Level       Fix
        ------------------------------------------------------
        5.3.12		              IZ99391s00.110621.epkg.Z	
        6.1.4        2.1.2.0          IV01118s00.110530.epkg.Z 
        6.1.5        2.1.3.0          IV01118s00.110530.epkg.Z
        6.1.6        2.2.0.0          IV01118s00.110530.epkg.Z
        7.1.0                         IV01119s03.110531.epkg.Z

        To extract the fixes from the tar file:

        tar xvf bind9_ifix2.tar
        cd bind9_ifix2

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the "csum -h SHA1"
        (sha1sum) commands and are as follows:

        csum -h SHA1 (sha1sum)                    filename
        ------------------------------------------------------------------
        5d023b2235ca9d57d0fd130f7110645fa50f063a  IZ99391s00.110621.epkg.Z
        3823bb9d423cc37652d6d4e79254cdc0cb7ef7ca  IV01118s00.110530.epkg.Z
        7db3c55c4cbbadcd40c87cf31bd91f96debea362  IV01119s03.110531.epkg.Z

        To verify the sums, use the text of this advisory as input to
        csum or sha1sum. For example:

        csum -h SHA1 -i bind9_advisory2.asc
        sha1sum -c bind9_advisory2.asc

        These sums should match exactly. The PGP signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM AIX Security and describe the
        discrepancy at the following addresses:

            Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

     B. FIX INSTALLATION

        IMPORTANT: If possible, it is recommended that a mksysb backup
        of the system be created.  Verify it is both bootable and
        readable before proceeding.

        Fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview fix installation:

        emgr -e fix_name -p         # where fix_name is the name of the  
                                    # fix being previewed.

        To install fix package:

        emgr -e fix_name -X         # where fix_name is the name of the  
                                    # fix being installed.

    C. APARS

        IBM has assigned the following APARs to this problem:

        AIX Level           APAR number        Service pack date
        --------------------------------------------------------
        5.3.12              IV02022            10/21/11	sp5
        6.1.4               IV02023            10/26/11 sp11
        6.1.5               IV01118            10/21/11 sp7
        6.1.6               IV02024            10/21/11 sp6
        7.1.0               IV01119            11/16/11	sp4


        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IV02022
        http://www.ibm.com/support/docview.wss?uid=isg1IV02023
        http://www.ibm.com/support/docview.wss?uid=isg1IV01118
        http://www.ibm.com/support/docview.wss?uid=isg1IV02024
        http://www.ibm.com/support/docview.wss?uid=isg1IV01119

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the service
        pack when it becomes available.

IV. WORKAROUND

    None

VI. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:
 
        http://www.ibm.com/systems/support
 
    and click on the "My notifications" link.
 
    To view previously issued advisories, please visit:
 
        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
 
    Comments regarding the content of this announcement can be
    directed to:

        Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
 
    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

        B. Download the key from our web page:

  http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

        C. Download the key from a PGP Public Key Server. The key ID is:

            0x28BFAA12
 
    Please contact your local IBM AIX support center for any
    assistance.
 
    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFOIHqd4fmd+Ci/qhIRAtQJAJ9PJpStXodXIXdokHxG9oNtmSTGsQCfWY9Y
FnH7Uy3WYdoGrFqmJLWvSbw=
=SylW
-----END PGP SIGNATURE-----