478984 – (CVE-2009-0025) CVE-2009-0025 bind: DSA_do_verify() returns check issue

Bug 478984 (CVE-2009-0025) - CVE-2009-0025 bind: DSA_do_verify() returns check issue

Summary: CVE-2009-0025 bind: DSA_do_verify() returns check issue

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-0025
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Adam Tkac
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	478985 478986 478987 478988 478989 478990
Blocks:
TreeView+	depends on / blocked

Reported:	2009-01-06 11:40 UTC by Mark J. Cox
Modified:	2021-08-12 15:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-19 16:08:43 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:0020	0	normal	SHIPPED_LIVE	Moderate: bind security update	2009-01-08 18:34:11 UTC

Comment 2 Mark J. Cox 2009-01-07 09:33:39 UTC

Gave CVE-2009-0025 to ISC for their advisory.

Comment 3 Mark J. Cox 2009-01-08 12:56:09 UTC

Now public, removing embargo:
https://www.isc.org/node/373

Comment 4 Mark J. Cox 2009-01-08 12:56:36 UTC

nternet Systems Consortium Security Advisory.
BIND: EVP_VerifyFinal() and DSA_do_verify() return checks.
7 January 2009

Versions affected:

BIND 9.0 (all versions)
BIND 9.1 (all versions)
BIND 9.2 (all versions)
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6
BIND 9.4.0, 9.4.1, 9.4.2, 9.4.3
BIND 9.5.0, 9.5.1
BIND 9.6.0

Severity: Low.

Description:

Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.

Impact:

It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).

Workaround:

BIND 9.3, 9.4, 9.5 and 9.6:
Disable the affected algorithms in named.conf. This
will cause answers from zones signed only with DSA (3)
and/or NSEC3DSA (6) to be treated as insecure.

BIND 9.3, 9.4, 9.5:
disable-algorithms . { DSA; };
BIND 9.6:
disable-algorithms . { DSA; NSEC3DSA; };

Fix:

Upgrade to 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1.

There are no fixes planned for BIND 9.1 or BIND 9.2, as those
releases do not implement the current DNSSEC protocol.

Questions should be addressed to bind9-bugs.

CVE: CVE-2009-0025

Also see CVE-2008-5077 for the corresponding OpenSSL issue

Revision History:

2009-01-05 Initial pre-release text

2009-01-07 Public release with corrected CVE

Comment 5 Fedora Update System 2009-01-08 14:39:15 UTC

bind-9.5.1-1.P1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/bind-9.5.1-1.P1.fc10

Comment 6 Fedora Update System 2009-01-08 15:39:05 UTC

bind-9.5.1-1.P1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bind-9.5.1-1.P1.fc9

Comment 7 Fedora Update System 2009-01-15 02:51:13 UTC

bind-9.5.1-1.P1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2009-01-15 02:59:33 UTC

bind-9.5.1-1.P1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Tomas Hoger 2009-11-19 16:08:43 UTC

https://www.redhat.com/security/data/cve/CVE-2009-0025.html

Note You need to log in before you can comment on or make changes to this bug.