-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:002 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : bind Date : January 16, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in ISC BIND: The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature (CVE-2014-0591). The updated packages for Enterprise Server 5 have been patched to correct this issue. The updated packages for Business Server 1 have been upgraded to the 9.9.4-P2 version which is unaffected by this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591 https://kb.isc.org/article/AA-01078 https://kb.isc.org/article/AA-01085 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: f07d5f3ac358e1743df18afed1717a8e mes5/i586/bind-9.7.6-0.0.P4.0.4mdvmes5.2.i586.rpm b4a3f965f352c259f96d8227cec681a7 mes5/i586/bind-devel-9.7.6-0.0.P4.0.4mdvmes5.2.i586.rpm d0e1b881d0a194016cd9bf34a048d43a mes5/i586/bind-doc-9.7.6-0.0.P4.0.4mdvmes5.2.i586.rpm 8fb9e05df2d851d81c0389bc3c31da1d mes5/i586/bind-utils-9.7.6-0.0.P4.0.4mdvmes5.2.i586.rpm 84f05e71c5c8528b047f5e6a7369725d mes5/SRPMS/bind-9.7.6-0.0.P4.0.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1b5dd9dd06157dd5c21cdf670bc3e797 mes5/x86_64/bind-9.7.6-0.0.P4.0.4mdvmes5.2.x86_64.rpm b6f965498072c61f71edbb9da9fce67e mes5/x86_64/bind-devel-9.7.6-0.0.P4.0.4mdvmes5.2.x86_64.rpm 2f41ab96b58d6a65ebb1d57a09c154d6 mes5/x86_64/bind-doc-9.7.6-0.0.P4.0.4mdvmes5.2.x86_64.rpm 258a8571aa242fb3639e024f1d2de04c mes5/x86_64/bind-utils-9.7.6-0.0.P4.0.4mdvmes5.2.x86_64.rpm 84f05e71c5c8528b047f5e6a7369725d mes5/SRPMS/bind-9.7.6-0.0.P4.0.4mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: c7d43337e79c3df8b8d7d9c660980976 mbs1/x86_64/bind-9.9.4.P2-1.mbs1.x86_64.rpm e661e92dd4d9303abb2dd02302e40d63 mbs1/x86_64/bind-devel-9.9.4.P2-1.mbs1.x86_64.rpm 1817848454e6f818f41a9af1470df044 mbs1/x86_64/bind-doc-9.9.4.P2-1.mbs1.noarch.rpm ab9be5f0d0a4dd2f75a71320dd66583b mbs1/x86_64/bind-sdb-9.9.4.P2-1.mbs1.x86_64.rpm b3b4f0118e1dcaf7da30a539288851aa mbs1/x86_64/bind-utils-9.9.4.P2-1.mbs1.x86_64.rpm 66f817dea364f1836b3157b7c5bb5936 mbs1/SRPMS/bind-9.9.4.P2-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS19PXmqjQ0CJFipgRAlvDAKCfB8gBJ4wSJZFwJ3r7Iye2VcTxNwCghMOe WYOjvvewlxsdbQRo4CNrQ2o= =nLE0 -----END PGP SIGNATURE-----