OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
URGENT, PLEASE READ: 9.4.2-P1 now available

From: Evan Hunt (Evan_Huntisc.org)
Date: Tue Jul 08 2008 - 13:38:24 CDT

            BIND 9.4.2-P1 is now available.

    BIND 9.4.2-P1 is a SECURITY release of BIND 9.4.

  URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
  URGENT URGENT
  URGENT THIS ANNOUNCEMENT REFERS TO AN ISSUE THAT MAY AFFECT THE URGENT
  URGENT INTEGRITY OF YOUR RECURSIVE DNS SERVICE URGENT
  URGENT URGENT
  URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT

    Thanks to recent work by Dan Kaminsky of IOActive, ISC has become
    aware of a potential attack exploiting weaknesses in the DNS protocol
    itself to enable the poisoning of caching recurive resolvers with
    spoofed data.

    For additional information about this vulnerability, see US-CERT
    (CERT VU#800113 DNS Cache Poisoning Issue). For more details on
    changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php.

    IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.

    DNSSEC is the only definitive solution for this issue. Understanding
    that immediate DNSSEC deployment is not a realistic expectation, ISC
    is releasing patched versions of BIND that improve its resilience
    against this attack. The method used makes it harder to spoof answers
    to a resolver by expanding the range of UDP ports from which queries
    are sent by the nameserver, thereby increasing the variability of
    parameters in outgoing queries.

    The code implementing the improved defenses against spoofing attacks
    is the only change between this release and the underlying version
    (9.4.2).

    The patch will have a noticeable impact on the performance of BIND
    caching resolvers with query rates at or above 10,000 queries per
    second. If performance at this level is critical for you, please
    refer to the new beta releases of BIND (9.5.1b1 or 9.4.3b2; see
    separate announcements).

    YOU ARE ADVISED TO INSTALL EITHER THIS SECURITY PATCH OR ONE OF THE
    BETA RELEASES (9.5.1b1 or 9.4.3b2), IMMEDIATELY.

BIND 9.4.2-P1 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.

A binary kit for Windows 2000, Windows XP and Window 2003 is at

        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip

The PGP signature of the binary kit for Windows 2000, Windows XP and
Window 2003 is at
        
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip.sha512.asc
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip.sha512.asc

Changes since 9.4.2:

        --- 9.4.2-P1 released ---

2375. [security] Fully randomize UDP query ports to improve
                        forgery resilience. [RT #17949]

--
Evan Hunt -- evan_huntisc.org
Internet Systems Consortium, Inc.