Glen Lumanau » dsa http://lumanau.web.id About Glen Lumanau Fri, 23 Jul 2010 10:08:00 +0000 hourly 1 http://wordpress.org/?v=3.0 BIND DNSSEC incorrect checks for malformed signatures http://lumanau.web.id/2009/01/14/bind-dnssec-incorrect-checks-for-malformed-signatures.html http://lumanau.web.id/2009/01/14/bind-dnssec-incorrect-checks-for-malformed-signatures.html#comments Wed, 14 Jan 2009 09:30:03 +0000 admin http://www.lumanau.web.id/?p=140 The DSA_do_verify() function from OpenSSL is used to determine if a
DSA digital signature is valid.  When DNSSEC is used within BIND it
uses DSA_do_verify() to verify DSA signatures, but checks the function
return value incorrectly.

How to upgrade it?

FreeBSD 6.3, 6.4, 7.0, 7.1 systems

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

c) Install and use a fixed version of BIND from the FreeBSD Ports
Collection.

Debian / Ubuntu

Just do these steps

# apt-get update

# apt-get dist-upgrade


]]> http://lumanau.web.id/2009/01/14/bind-dnssec-incorrect-checks-for-malformed-signatures.html/feed 0