oss-sec mailing list archives
CVE request: BIND 9 bug involving DNSSEC and the additional section
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 24 Nov 2009 16:23:40 +0100
Fixed in BIND 9.6.1-P2, 9.5.2-P1 and 9.4.3-P4, per recent announcements. 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] The advisory at <https://www.isc.org/node/504> is rather unclear. The way it is written, one would assume that the in-bailiwick checks are bypassed as well. Is this really true? (Based on a quick look at the patch, this seems to happen only for secure domains, that is, you need some trust anchors.)
Current thread:
- CVE request: BIND 9 bug involving DNSSEC and the additional section Florian Weimer (Nov 24)