Bug 478984 - (CVE-2009-0025) CVE-2009-0025 bind: DSA_do_verify() returns check issue
CVE-2009-0025 bind: DSA_do_verify() returns check issue
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
: Security
Depends On: 478985 478986 478987 478988 478989 478990
  Show dependency treegraph
Reported: 2009-01-06 06:40 EST by Mark J. Cox (Product Security)
Modified: 2017-01-24 07:37 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-19 11:08:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 2 Mark J. Cox (Product Security) 2009-01-07 04:33:39 EST
Gave CVE-2009-0025 to ISC for their advisory.
Comment 3 Mark J. Cox (Product Security) 2009-01-08 07:56:09 EST
Now public, removing embargo:
Comment 4 Mark J. Cox (Product Security) 2009-01-08 07:56:36 EST
nternet Systems Consortium Security Advisory.
BIND: EVP_VerifyFinal() and DSA_do_verify() return checks.
7 January 2009

Versions affected:

BIND 9.0 (all versions)
BIND 9.1 (all versions)
BIND 9.2 (all versions)
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6
BIND 9.4.0, 9.4.1, 9.4.2, 9.4.3
BIND 9.5.0, 9.5.1
BIND 9.6.0

Severity: Low.


Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.


It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).


BIND 9.3, 9.4, 9.5 and 9.6:
Disable the affected algorithms in named.conf. This
will cause answers from zones signed only with DSA (3)
and/or NSEC3DSA (6) to be treated as insecure.

BIND 9.3, 9.4, 9.5:
disable-algorithms . { DSA; };
BIND 9.6:
disable-algorithms . { DSA; NSEC3DSA; };


Upgrade to 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1.

There are no fixes planned for BIND 9.1 or BIND 9.2, as those
releases do not implement the current DNSSEC protocol.

Questions should be addressed to bind9-bugs@isc.org.

CVE: CVE-2009-0025

Also see CVE-2008-5077 for the corresponding OpenSSL issue


Credit: Google Security Team (for the original OpenSSL issue), Florian Weimer for spotting that BIND9 was vulnerable.

Revision History:

2009-01-05 Initial pre-release text

2009-01-07 Public release with corrected CVE
Comment 5 Fedora Update System 2009-01-08 09:39:15 EST
bind-9.5.1-1.P1.fc10 has been submitted as an update for Fedora 10.
Comment 6 Fedora Update System 2009-01-08 10:39:05 EST
bind-9.5.1-1.P1.fc9 has been submitted as an update for Fedora 9.
Comment 7 Fedora Update System 2009-01-14 21:51:13 EST
bind-9.5.1-1.P1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-01-14 21:59:33 EST
bind-9.5.1-1.P1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.