Updated bind packages fixing DoS attack available

Advisory:	RHSA-2000:107-02
Type:	Security Advisory
Severity:	N/A
Issued on:	2000-11-16
Last updated on:	2000-11-16
Affected Products:
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2000-0887 CVE-2000-0888

Details

A remote DoS (denial of service) attack is possible with bind versions
prior to 8.2.2_P7.

2000-11-12: Added bind-devel, bind-utils packages to package list.

A bug in bind 8.2.2_P5 allows for a denial of service attack.
If named is open to zone transfers and recursive resolving, it will crash
after a ZXFR for the authoritative zone and a query of a remote hostname.

Solution

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

Disabling zone transfers to non-trusted hosts by adding
allow-transfer { trusted-hosts; };
to /etc/named.conf prevents the exploit from working on older releases,
however, this does not fix the problem.

Updated packages

Bugs fixed (see bugzilla for more information)

20546 - bind 8.2.2-P5 remote DoS

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0888
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=20546

Keywords

security

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/