On Jan 7, 2009, at 2:32 PM, rob_aust...@isc.org wrote:
Internet Systems Consortium Security Advisory.
BIND: EVP_VerifyFinal() and DSA_do_verify() return checks.
7 January 2009
Versions affected:
BIND 9.0 (all versions)
BIND 9.1 (all versions)
BIND 9.2 (all versions)
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6
BIND 9.4.0, 9.4.1, 9.4.2, 9.4.3
BIND 9.5.0, 9.5.1
BIND 9.6.0
Severity: Low.
Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.
Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).
<snip>
Would someone be able to provide some more details as to what
particular configurations of BIND this affects? My interpretation is
it only impacts recursive nameservers that have DNSSEC validation
enabled. Speaking in terms of BIND config options, the dnssec-
validation option would need to be set to yes (so just having the
default of dnssec-enable set to yes isn't enough to make the server
vulnerable). Is this a correct interpretation?
Thanks,
Dave Coulthart
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
