BIND: Incorrect signature verification — GLSA 200903-14

Incomplete verification of RSA and DSA certificates might lead to spoofed records authenticated using DNSSEC.

Affected packages

net-dns/bind on all architectures
Affected versions < 9.4.3_p1
Unaffected versions >= 9.4.3_p1

Background

ISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol.

Description

BIND does not properly check the return value from the OpenSSL functions to verify DSA (CVE-2009-0025) and RSA (CVE-2009-0265) certificates.

Impact

A remote attacker could bypass validation of the certificate chain to spoof DNSSEC-authenticated records.

Workaround

There is no known workaround at this time.

Resolution

All BIND users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p1"

References

Release date
March 09, 2009

Latest revision
March 09, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries