Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 454852

Summary: Default caching-nameserver configuration blocks fixes for CVE-2008-1447 (rhel-5)
Product: Red Hat Enterprise Linux 5 Reporter: Nigel Metheringham <nigel>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: high    
Version: 5.2CC: ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-10 19:58:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nigel Metheringham 2008-07-10 07:46:42 UTC 
CVE-2008-1447 mitigation requires that the source port for DNS queries
is randomized to make an attack more difficult.

The caching name server config file contains the following lines near
the top:-
   options {
        ...
        query-source    port 53;
        query-source-v6 port 53;
        allow-query     { localhost; };
   };

The query-source directives prevent the randomization of sender port.

This causes warnings to be produced in the log file.


Version-Release number of selected component (if applicable):
  Version     : 9.3.4
  Release     : 6.0.1.P1.el5_2
Comment 1 Tomas Hoger 2008-07-10 08:11:53 UTC 
caching-nameserver is built from bind source RPM in Red Hat Enterprise Linux 5
-> moving to proper component.
Comment 4 Adam Tkac 2008-07-10 10:06:41 UTC 
You are right. Btw that options were in configuration file since 5.0 but it is
far more better to drop them. Thanks for your report
Comment 6 Mark J. Cox 2008-07-10 11:26:27 UTC 
We plan to reissue the RHEL 5.0 packages to include a fix for this issue.  We
are treating this as an emergency exception, and the packages will be released
as soon as they have cleared our standard QE and release processes.
Comment 9 Mark J. Cox 2008-07-10 19:58:08 UTC 
[Updated 10th July 2008]
We have updated the Enterprise Linux 5 BIND packages. The
default and sample caching-nameserver configuration files have been updated
so that they do not specify a fixed query-source port. Administrators
wishing to take advantage of randomized UDP source ports should check their
configuration file to ensure they have not specified fixed query-source ports.

https://rhn.redhat.com/errata/RHSA-2008-0533.html