[NBLUG/talk] [Mark_Andrews@isc.org: Internet Software Consortium Security Advisory: 5 March 2003]

[Eric Eisenhart]

Mike: here's the other message I got from the bind-announce mailing list.

----- Forwarded message from Mark_Andrews at isc.org -----

To: bind-announce at isc.org
From: Mark_Andrews at isc.org
Subject: Internet Software Consortium Security Advisory: 5 March 2003

		Internet Software Consortium Security Advisory.
			     Status Update
			     5 March 2003

	BIND 9.2.2 was released which contains fixes for previously
	announced vulnerabilities.

	These were a remote buffer overflow documented in CERT advisory
	[CERT CA-2002-19] and enforcement of the minimum OpenSSL version
	[CERT CA-2002-23].

	http://www.cert.org/advisories/CA-2002-19.html
	http://www.cert.org/advisories/CA-2002-23.html


	[CERT CA-2002-19]:

	BIND 9.2.0 and BIND 9.2.1 needs to be upgraded if you have not
	already applied the workaround listed in [CERT CA-2002-19] and
	you enabled libbind by specifying "configure --enable-libbind"
	when you built BIND 9.2.0 or BIND 9.2.1.


	[CERT CA-2002-23]:

	BIND 9.[01].x needs to be upgraded if you have not applied the
	workaround listed in [CA-2002-23].  BIND 9.2.2 enforces a
	minimum OpenSSL version at compile time.

	BIND 9.2.0 and BIND 9.2.1 need to be upgraded if you built BIND
	with a vulnerable version of OpenSSL, "configure --with-openssl".
	BIND 9.2.2 enforces a minimum OpenSSL version at compile time.

	You can test to see if BIND was built with OpenSSL by running:

		dnssec-keygen -a rsa -b 512 -n zone foo

	If the command returns an error message which contains "built with
	no crypto support" then BIND was NOT linked against OpenSSL. This
	does NOT check the OpenSSL version in use.

	If you are in doubt about your current BIND status upgrade.

	The current BIND version can be found via:
	http://www.isc.org/products/BIND/

	The current BIND security page can be found via:
	http://www.isc.org/products/BIND/bind-security.html



----- End forwarded message -----