FSA/F7/FEDORA-2007-1247

[SECURITY] Fedora 7 Update: bind-9.4.1-7.P1.fc7
Fedora Update Notification FEDORA-2007-1247 2007-07-24 22:15:28.360859

Name       : bind Product    : Fedora 7 Version    : 9.4.1 Release    : 7.P1.fc7 Summary    : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server. Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Update Information:

- CVE-2007-2925 - allow-query-cache/allow-recursion default acls not set - workaround - disable recursion or explicitly set allow-query-cache and allow-recursion acls

- CVE-2007-2926 - cryptographically weak query id generator - 1 in 8 chance of guessing the next query id for 50% of the query ids - allows cache-poisoning type of attack, no workaround, affect only outgoing queries

ChangeLog:

- updated to latest upstream (contains fixes for CVE-2007-2925 and CVE-2007-2926) - minor changes in caching-nameserver configuration - major changes in default caching-nameserver configuration (configuration could now honor RFCs, #243565) - added /var/named/dynamic directory. This directory is primary designed for dynamic DNS zones. In future releases named could write only into dynamic, data and slaves directories - start using deprecated ldap API - fix minor bug in bind-chroot-admin (#241103) - fixed bind-chroot-admin dynamic DNS handling (#239149) - rewrited ldap backend to latest API (#239802) - updated zone-freeze patch to latest upstream - test build on new build system - updated to 9.4.1 which contains fix to CVE-2007-2241 - improved "zone freeze patch" - if multiple zone with same name exists no zone is freezed - minor cleanup in caching-nameserver's config file - fixed race-condition in dbus code (#235809) - added forgotten restorecon statement in bind-chroot-admin - removed DEBUGINFO option because with this option (default) was bind builded with -O0 and without this flag no debuginfo package was produced. (I want faster bind => -O2 + debuginfo) - fixed zone finding (#236426)
 * Tue Jul 24 2007 Adam Tkac 31:9.4.1-7.P1.fc7
 * Thu Jun 21 2007 Adam Tkac 31:9.4.1-6.1.fc7
 * Mon Jun 18 2007 Adam Tkac 31:9.4.1-6.fc7
 * Tue Jun 5 2007 Adam Tkac 31:9.4.1-5.fc7
 * Thu May 24 2007 Adam Tkac 31:9.4.1-4.fc7
 * Tue May 15 2007 Adam Tkac 31:9.4.1-3.fc7
 * Mon May 7 2007 Adam Tkac 31:9.4.1-2.fc7
 * Wed May 2 2007 Adam Tkac 31:9.4.1-1.fc7
 * Fri Apr 27 2007 Adam Tkac 31:9.4.0-8.fc7
 * Tue Apr 17 2007 Adam Tkac 31:9.4.0-7.fc7

References:

[ 1 ] CVE-2007-2925 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925 [ 2 ] CVE-2007-2926 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926

Updated packages:

5c712060807e3985fe3d87d9bb9cf162a5cce1ed bind-utils-9.4.1-7.P1.fc7.ppc64.rpm 1f360e332c0a59a9ec5c72519a84d4d291dbe57a caching-nameserver-9.4.1-7.P1.fc7.ppc64.rpm 37733efde8386846d18fb0cdfe5bbda97ab00de8 bind-debuginfo-9.4.1-7.P1.fc7.ppc64.rpm de4a504275e252eee4e45a41f421e35a6d86f249 bind-chroot-9.4.1-7.P1.fc7.ppc64.rpm 36cabeb0d6cbb690e5c8d95ab400a47e215a3b72 bind-sdb-9.4.1-7.P1.fc7.ppc64.rpm d421e2d1a07864d25e6611445cbdcb315b130423 bind-devel-9.4.1-7.P1.fc7.ppc64.rpm 01fadba5b6875830f47fc84dd3554b547ea84f3c bind-libs-9.4.1-7.P1.fc7.ppc64.rpm cabe07e4b5912c5faebe3b36671a727f53dd6b6e bind-9.4.1-7.P1.fc7.ppc64.rpm ffe3bd57bb56ff8631c5c61a5b31fafed516f648 bind-libs-9.4.1-7.P1.fc7.i386.rpm 3ea3beb0b04fc255d09ae2bca927ba73cccc03a4 caching-nameserver-9.4.1-7.P1.fc7.i386.rpm 2490ed2156eae86acf85cfcddc0c684cce8b8b0e bind-sdb-9.4.1-7.P1.fc7.i386.rpm 9931918e4d54ea74527a99b614d3969a8bf0b3fb bind-utils-9.4.1-7.P1.fc7.i386.rpm e94f1dc72d6211ea634a25ae8b328e1518a9d6f3 bind-chroot-9.4.1-7.P1.fc7.i386.rpm 82478697d8f95cc857ae9f8e2f6dff5022234a3c bind-devel-9.4.1-7.P1.fc7.i386.rpm d01e36d4e54b6b7f728c9d9ba3dc1d4c5525ded5 bind-9.4.1-7.P1.fc7.i386.rpm d536a1fc5f0a8c0efb3d8728b2ac0c3248b36c2d bind-debuginfo-9.4.1-7.P1.fc7.i386.rpm e8c173577d6bb31e22b114ad27965699d9e04b64 bind-chroot-9.4.1-7.P1.fc7.x86_64.rpm 9b8e09f2f21103ef8c1c634d4686e25c872a3252 bind-9.4.1-7.P1.fc7.x86_64.rpm 7cc1e01f58ec4fe18789ae6b3e7bfed864b23300 bind-libs-9.4.1-7.P1.fc7.x86_64.rpm fb57380ada5aaa89f967eccec79ec7b1d2bae344 caching-nameserver-9.4.1-7.P1.fc7.x86_64.rpm 3e44c0953023abb963f2523b0d715bfc8e051dcf bind-devel-9.4.1-7.P1.fc7.x86_64.rpm a8d2153932fb9b28f6b3a47161ee7093efb32853 bind-utils-9.4.1-7.P1.fc7.x86_64.rpm cca1dc2828e3dce9d0b88e76bb69f47695daded4 bind-sdb-9.4.1-7.P1.fc7.x86_64.rpm 2f8be4b4dceca242a89f293914b76857e24c2a43 bind-debuginfo-9.4.1-7.P1.fc7.x86_64.rpm 936f0b236d97edd54218621de08c48af6c17df99 bind-chroot-9.4.1-7.P1.fc7.ppc.rpm 285395a3ce5d75a7c151fd4898f9b6f28a7c5332 bind-libs-9.4.1-7.P1.fc7.ppc.rpm 5e0b936a7b7052458014141157538151657a9450 bind-utils-9.4.1-7.P1.fc7.ppc.rpm 6276246b7705451b37aa07af4154c519d13bf013 bind-sdb-9.4.1-7.P1.fc7.ppc.rpm 92773e2443e3e78c2d558aa62c2238aafeb1686e bind-9.4.1-7.P1.fc7.ppc.rpm 73a68fce29b6cb196edd7aa51c027b6244d52a78 bind-debuginfo-9.4.1-7.P1.fc7.ppc.rpm 16133ef220ff4ee7d2dea97e3fcd9803e6254bc5 caching-nameserver-9.4.1-7.P1.fc7.ppc.rpm e0c13966f4816e8effe7b3328e752cc73cc6a290 bind-devel-9.4.1-7.P1.fc7.ppc.rpm 15dd69053b9e5b16a70ddca1a5c4099d3b192648 bind-9.4.1-7.P1.fc7.src.rpm

This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://docs.fedoraproject.org/yum/.