Updated bind packages fixing DoS attack available
| Advisory: | RHSA-2000:107-02 |
|---|---|
| Type: | Security Advisory |
| Severity: | N/A |
| Issued on: | 2000-11-16 |
| Last updated on: | 2000-11-16 |
| Affected Products: | |
| CVEs (cve.mitre.org): |
CVE-2000-0887 CVE-2000-0888 |
Details
A remote DoS (denial of service) attack is possible with bind versions
prior to 8.2.2_P7.
2000-11-12: Added bind-devel, bind-utils packages to package list.
A bug in bind 8.2.2_P5 allows for a denial of service attack.
If named is open to zone transfers and recursive resolving, it will crash
after a ZXFR for the authoritative zone and a query of a remote hostname.
Solution
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
Disabling zone transfers to non-trusted hosts by adding
allow-transfer { trusted-hosts; };
to /etc/named.conf prevents the exploit from working on older releases,
however, this does not fix the problem.
rpm -Fvh [filename]
where filename is the name of the RPM.
Disabling zone transfers to non-trusted hosts by adding
allow-transfer { trusted-hosts; };
to /etc/named.conf prevents the exploit from working on older releases,
however, this does not fix the problem.
Updated packages
Bugs fixed (see bugzilla for more information)
20546 - bind 8.2.2-P5 remote DoS
References
https://www.redhat.com/security/data/cve/CVE-2000-0887.html
https://www.redhat.com/security/data/cve/CVE-2000-0888.html
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=20546
https://www.redhat.com/security/data/cve/CVE-2000-0888.html
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=20546
Keywords
security
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package
The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
