Search This Blog

Wednesday, December 23, 2009

[SECURITY] [DSA 1963-1] New unbound packages fix DNSSEC validation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1963-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
December 23, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : unbound
Vulnerability : cryptographic implementation error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3602

It was discovered that Unbound, a DNS resolver, does not properly
check cryptographic signatures on NSEC3 records. As a result, zones
signed with the NSEC3 variant of DNSSEC lose their cryptographic
protection. (An attacker would still have to carry out an ordinary
cache poisoning attack to add bad data to the cache.)

The old stable distribution (etch) does not contain an unbound
package.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.2-1+lenny1.

For the unstable distribution (sid) and the testing distribution
(squeeze), this problem has been fixed in version 1.3.4-1.

We recommend that you upgrade your unbound package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2.orig.tar.gz
Size/MD5 checksum: 3597275 01b08a9c0d24be981de64b6e4e25ecbe
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1.diff.gz
Size/MD5 checksum: 11066 b003007bc954f8877791de9e22c3c146
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1.dsc
Size/MD5 checksum: 1436 9e83801b9223c4ac8535243f880044a8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_alpha.deb
Size/MD5 checksum: 320244 9482874b056753f0082025d8735643f5
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_alpha.deb
Size/MD5 checksum: 12738 034c9f659508551082c0411307b9c502
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_alpha.deb
Size/MD5 checksum: 215888 4cd1a8ae7cfb61d917b99267746f1877
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_alpha.deb
Size/MD5 checksum: 381560 d89de99e20d73980efb5031fe70f06ff

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_amd64.deb
Size/MD5 checksum: 200256 a7c7cd577f7271a63abac791dbf1469b
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_amd64.deb
Size/MD5 checksum: 358126 86bab87ab0f5d5cdb94057dc9bc4ea2d
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_amd64.deb
Size/MD5 checksum: 12266 babd3fec31c85a5ff91080e44504a4cf
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_amd64.deb
Size/MD5 checksum: 235494 e7e814a39e5524c8e64134cdbfd4dce9

arm architecture (ARM)

http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_arm.deb
Size/MD5 checksum: 11892 139bd5b0186a6187c6a8283330bff6ae
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_arm.deb
Size/MD5 checksum: 179624 44c9d6c40987ea1d02f70615f4bf1d6d
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_arm.deb
Size/MD5 checksum: 210562 c81ae06d74c86ca42d85481065fa7133
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_arm.deb
Size/MD5 checksum: 334640 f5693d14213e4118eec1b93d29e13e2f

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_armel.deb
Size/MD5 checksum: 331972 00e1c301c73ea80752c6d2f93e3ac521
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_armel.deb
Size/MD5 checksum: 178740 f39e019eee3b4c54380d9a065f9a2621
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_armel.deb
Size/MD5 checksum: 11850 0726a83164dee4ee7abac8101249bf1a
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_armel.deb
Size/MD5 checksum: 209640 904f538ef4d6c3b2ee199c255fd7bbc5

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_hppa.deb
Size/MD5 checksum: 207560 af33e156e79347ed6d7b791b4f257524
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_hppa.deb
Size/MD5 checksum: 260268 27d99bddc430f56a283897bbfbbbbafe
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_hppa.deb
Size/MD5 checksum: 377250 8887398b373794cdbe669c2ecf41ad39
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_hppa.deb
Size/MD5 checksum: 12810 d5686532a7612faaf4b1de58957bb7c4

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_i386.deb
Size/MD5 checksum: 11938 0431937c6253cedf452ddb0227f93cb2
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_i386.deb
Size/MD5 checksum: 186228 9e1c7aa0b3b5c43435a0a3d402ddc062
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_i386.deb
Size/MD5 checksum: 207836 933044378c345e44d57b95ae6aaebee5
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_i386.deb
Size/MD5 checksum: 333658 777eb04b75e53b2eeeb83446cc91313c

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_ia64.deb
Size/MD5 checksum: 495470 2fbc1a857aab0008d3397f6cffe0d6e0
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_ia64.deb
Size/MD5 checksum: 336702 8b5bdaac3cfd2f6f932d2751b025a2af
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_ia64.deb
Size/MD5 checksum: 14356 d81133f39d102425ab8860751e50d5bd
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_ia64.deb
Size/MD5 checksum: 270068 2e6860fdf2c35adbd8d36bd671e2a6ac

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_mips.deb
Size/MD5 checksum: 363468 e52ee62e28ec76119133aa85751cad82
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_mips.deb
Size/MD5 checksum: 258186 d7a48e7895f10d5daae90756e1f992af
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_mips.deb
Size/MD5 checksum: 184786 e8b44c5bf399601e7b361241d6e75ea4
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_mips.deb
Size/MD5 checksum: 11994 fa14dcef4206f545162eadb5e5105966

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_mipsel.deb
Size/MD5 checksum: 255822 c3c2c805745d627df87db1d042641445
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_mipsel.deb
Size/MD5 checksum: 12040 993713e7f0fa831dd703ffd626e1d60e
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_mipsel.deb
Size/MD5 checksum: 182534 1d279a306fb2a9e7f3de110c846104aa
http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_mipsel.deb
Size/MD5 checksum: 359236 3d3342777414135d94d26190da032d6c

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_powerpc.deb
Size/MD5 checksum: 359150 ffadb6a8602493bb90eae81cdc88506d
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_powerpc.deb
Size/MD5 checksum: 240514 ac86e3a4653450b6e7b790484dec5eea
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_powerpc.deb
Size/MD5 checksum: 207604 104ee743c6be3bde389386f9ee99ccf9
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_powerpc.deb
Size/MD5 checksum: 14950 4ac8e2623b5f69213f52184a94927aca

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_s390.deb
Size/MD5 checksum: 375566 b4a618cde1434867d7d3f4c51b15588b
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_s390.deb
Size/MD5 checksum: 207636 1af11fd95321e6a1e36c0217a6891b55
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_s390.deb
Size/MD5 checksum: 233232 9d239915eab5a7ac94dc45c900225ae7
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_s390.deb
Size/MD5 checksum: 12728 6245613210b76778257906493903c47b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/u/unbound/unbound_1.0.2-1+lenny1_sparc.deb
Size/MD5 checksum: 330738 12513df68b7e408cdad4863629d08ed4
http://security.debian.org/pool/updates/main/u/unbound/libunbound-dev_1.0.2-1+lenny1_sparc.deb
Size/MD5 checksum: 218752 25f95e3756644e92c950e0d8248ba541
http://security.debian.org/pool/updates/main/u/unbound/libunbound0_1.0.2-1+lenny1_sparc.deb
Size/MD5 checksum: 184136 4177a529c2c6fc422cbb74863390370b
http://security.debian.org/pool/updates/main/u/unbound/unbound-host_1.0.2-1+lenny1_sparc.deb
Size/MD5 checksum: 12356 4d4e6d0c96e7263372c233368cc4f69a


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJLMn9jAAoJEL97/wQC1SS+CZsIAIQgjzxh2pJ1NBCMyxMO7V1C
UecemslFDwpfgoCgT1+sHzvO9yi4CDgUcdo+t4PFCaemnTuvWcuRA3Ld9vWgPWgP
1cSfZ9iSqJUqtw47eMpsZ+5LCpgbyY27ceY/PueTTq304jz+FbUixlHuwSiQFte6
WIpnSGvfCJYvKdqulzOj2WdpqPjp+KysXJXIBFqUiXN+HIeSwKtMq2yN5eQr5MRe
+B9Ci/fu00mjjSefGZ6gN/A09lb6ihh3F+sJesdxIXgBV0l147roIWpnFdY7pERO
CmtIeD3cMlJFRv88jgbVg2fbEwHevHnoLABghC3SbbHNmL8PY3N2GrZsxBvB4RI=
=rD/O
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: