Yellow Dog Linux Security Advisory: YDU-20020810-3
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
Sat, 10 Aug 2002 01:17:03 -0600 (MDT)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: bind
Issue Date: August 10, 2002
Priority: high
Advisory ID: YDU-20020810-3
1. Topic:
Updated bind packages are available.
2. Problem:
"Various versions of the ISC BIND resolver libraries are vulnerable to a
buffer overflow attack. Updated BIND packages are now available to fix
this issue.
ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
various tools.
A buffer overflow vulnerability exists in multiple implementations of DNS
resolver libraries. Applications that utilize vulnerable DNS resolver
libraries may be affected. A remote attacker who is able to send malicious
DNS responses could potentially exploit this vulnerability to execute
arbitrary code or cause a denial of service on a vulnerable system.
[Yellow Dog] Linux does not ship with any applications or libraries that link
against the BIND resolver libraries; however, third party code may be
affected."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install bind
b) Updating manually...
Download the updates below for your version of Yellow Dog Linux
and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
Yellow Dog Linux 2.3
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/bind-9.2.1-1.7x.2.3a.ppc.rpm
ppc/bind-devel-9.2.1-1.7x.2.3a.ppc.rpm
ppc/bind-utils-9.2.1-1.7x.2.3a.ppc.rpm
Yellow Dog Linux 2.2
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
ppc/bind-9.2.1-1.7x.2.2a.ppc.rpm
ppc/bind-devel-9.2.1-1.7x.2.2a.ppc.rpm
ppc/bind-utils-9.2.1-1.7x.2.2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
[Yellow Dog Linux 2.3]
68229e7e4d5d955343cd802dd03be546 ppc/bind-9.2.1-1.7x.2.3a.ppc.rpm
7ba7eb3a413ead0902434931f73bae57 ppc/bind-devel-9.2.1-1.7x.2.3a.ppc.rpm
b536136842ce6448c1f38977afbd73a9 ppc/bind-utils-9.2.1-1.7x.2.3a.ppc.rpm
cf77e6b8a856c9c79f2002d90b3fcb05 SRPMS/bind-9.2.1-1.7x.2.3a.src.rpm
[Yellow Dog Linux 2.2]
38337b682591493b1662f3dbbadb06a7 ppc/bind-9.2.1-1.7x.2.2a.ppc.rpm
234206c05a7c922a903aca3e493cf3ce ppc/bind-devel-9.2.1-1.7x.2.2a.ppc.rpm
efdd56e59b81736eae14004577e19910 ppc/bind-utils-9.2.1-1.7x.2.2a.ppc.rpm
db6e2f5d2b0a076eff4bba08f149be5b SRPMS/bind-9.2.1-1.7x.2.2a.src.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml