Bug 557983 (CVE-2010-0382) - CVE-2010-0382 bind: out-of-bailiwick data vulnerability due to regression while fixing CVE-2009-4022
Summary: CVE-2010-0382 bind: out-of-bailiwick data vulnerability due to regression whi...
Alias: CVE-2010-0382
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Depends On: 555119
TreeView+ depends on / blocked
Reported: 2010-01-22 23:15 UTC by Vincent Danen
Modified: 2019-09-29 12:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-01-25 17:46:54 UTC

Attachments (Terms of Use)

Description Vincent Danen 2010-01-22 23:15:17 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0382 to
the following vulnerability:

Name: CVE-2010-0382
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0382
Assigned: 20100122
Reference: CONFIRM: https://www.isc.org/advisories/CVE-2009-4022v6

ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before
9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick
data accompanying a secure response without re-fetching from the
original source, which allows remote attackers to have an unspecified
impact via a crafted response, aka Bug 20819.  NOTE: this vulnerability
exists because of a regression during the fix for CVE-2009-4022

Comment 1 Vincent Danen 2010-01-22 23:26:53 UTC
I'm unsure whether this got fixed along with CVE-2010-0290 (bug #557121) because that bug is also due to a regression of CVE-2009-4022.  The upstream advisory states:

2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737]

2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. (Regression bug introduced by fix for RT #20438) [RT #20819] 

So it's listing it as two separate issues (2828 would correspond with CVE-2010-0290) which is probably why MITRE assigned two CVEs.  What is unclear is whether or not the fix we used for CVE-2010-0290 also corrects this issue.

Comment 2 Adam Tkac 2010-01-25 08:35:17 UTC
This issue is fixed together with CVE-2010-0290 (bug #557121). Updated packages are already released (for RHEL5).

Comment 3 Vincent Danen 2010-01-25 17:46:54 UTC
Thanks for that confirmation Adam.

This issue is then resolved via RHSA-2010:0062:


Note You need to log in before you can comment on or make changes to this bug.