Glen Lumanau

BIND DNSSEC incorrect checks for malformed signatures

The DSA_do_verify() function from OpenSSL is used to determine if a
DSA digital signature is valid.  When DNSSEC is used within BIND it
uses DSA_do_verify() to verify DSA signatures, but checks the function
return value incorrectly.

How to upgrade it?

FreeBSD 6.3, 6.4, 7.0, 7.1 systems

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

c) Install and use a fixed version of BIND from the FreeBSD Ports
Collection.

Debian / Ubuntu

Just do these steps

# apt-get update

# apt-get dist-upgrade

• » A message “ ‘sys_errlist’ is deprecated; use ‘strerror’ or ‘strerror_r’ instead ”
• » Debian GNU/Linux 5.0 updated
• » Debian GNU/Linux 5.0 released
• » Global Load Balancing Like Google Does
• » Nginx.net is using an Old Version?