Incomplete verification of RSA and DSA certificates might lead to spoofed records authenticated using DNSSEC.
Package | net-dns/bind on all architectures |
---|---|
Affected versions | < 9.4.3_p1 |
Unaffected versions | >= 9.4.3_p1 |
ISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol.
BIND does not properly check the return value from the OpenSSL functions to verify DSA (CVE-2009-0025) and RSA (CVE-2009-0265) certificates.
A remote attacker could bypass validation of the certificate chain to spoof DNSSEC-authenticated records.
There is no known workaround at this time.
All BIND users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p1"