Hide Forgot
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0382 to the following vulnerability: Name: CVE-2010-0382 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0382 Assigned: 20100122 Reference: CONFIRM: https://www.isc.org/advisories/CVE-2009-4022v6 ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022
I'm unsure whether this got fixed along with CVE-2010-0290 (bug #557121) because that bug is also due to a regression of CVE-2009-4022. The upstream advisory states: 2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] 2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. (Regression bug introduced by fix for RT #20438) [RT #20819] So it's listing it as two separate issues (2828 would correspond with CVE-2010-0290) which is probably why MITRE assigned two CVEs. What is unclear is whether or not the fix we used for CVE-2010-0290 also corrects this issue.
This issue is fixed together with CVE-2010-0290 (bug #557121). Updated packages are already released (for RHEL5).
Thanks for that confirmation Adam. This issue is then resolved via RHSA-2010:0062: https://rhn.redhat.com/errata/RHSA-2010-0062.html