Bug 557983 (CVE-2010-0382)

Summary: CVE-2010-0382 bind: out-of-bailiwick data vulnerability due to regression while fixing CVE-2009-4022
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atkac, dwalsh, qe-baseos-daemons
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0382
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-25 17:46:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 555119    
Bug Blocks:    

Description Vincent Danen 2010-01-22 23:15:17 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0382 to
the following vulnerability:

Name: CVE-2010-0382
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0382
Assigned: 20100122
Reference: CONFIRM: https://www.isc.org/advisories/CVE-2009-4022v6

ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before
9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick
data accompanying a secure response without re-fetching from the
original source, which allows remote attackers to have an unspecified
impact via a crafted response, aka Bug 20819.  NOTE: this vulnerability
exists because of a regression during the fix for CVE-2009-4022
Comment 1 Vincent Danen 2010-01-22 23:26:53 UTC 
I'm unsure whether this got fixed along with CVE-2010-0290 (bug #557121) because that bug is also due to a regression of CVE-2009-4022.  The upstream advisory states:

2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737]

2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. (Regression bug introduced by fix for RT #20438) [RT #20819] 

So it's listing it as two separate issues (2828 would correspond with CVE-2010-0290) which is probably why MITRE assigned two CVEs.  What is unclear is whether or not the fix we used for CVE-2010-0290 also corrects this issue.
Comment 2 Adam Tkac 2010-01-25 08:35:17 UTC 
This issue is fixed together with CVE-2010-0290 (bug #557121). Updated packages are already released (for RHEL5).
Comment 3 Vincent Danen 2010-01-25 17:46:54 UTC 
Thanks for that confirmation Adam.

This issue is then resolved via RHSA-2010:0062:

https://rhn.redhat.com/errata/RHSA-2010-0062.html