Good morning,
Today, I'm received alert from one of my friends regarding to

Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable

to cache poisoning.

http://www.kb.cert.org/vuls/id/800113
I checked the above site, and found that most of the *BSD status are

unknown. Is this bug affected OpenBSD default bind dns?
I'm don't know either the above bug is similar to this thread or not.

http://marc.info/?l=openbsd-misc&m=118539211412877&w=2
--

Thank you.
Yours truly,
Zamri Besar

looks like there is some work in progress to update the in-tree BIND

to 9.4.2-P1 + local tweaking, for example:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch...
As Theo points out, patience is a virtue, and it's the "+ local

tweaking" above that is the reason I gratefully use OpenBSD.
/Pete

reading tea leaves^H^H^H^H^H^H^H^H^H^Hsource-changes has me thinking

the BIND bug has spurred some activity in other parts of the tree, too

(as in, "bugs are never unique, in OpenBSD we look for patterns or
AOL!
--

Peter N. M. Hansteen, member of the first RFC 1149 implementation team

http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/

"Remember to set the evil bit on all malicious network traffic"

delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

I think named on OpenBSD 4.3 is affected too.

See

http://www.nabble.com/Actual-BIND-error---Patching-OpenBSD-4.3-named---t...
So long,
Andreas.
--

Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of

an 8-bit operating system written for a 4-bit processor by a 2-bit

company who cannot stand 1 bit of competition.

OpenBSD's named is affected.

It is a flow in the DNS protocol, which means potentially *all*

implementations are affected...
--

Mathieu

Credit where credit is due: djbdns isn't.
Without specifics on the issue, I can't tell if OpenBSD's bind is truly

vulnerable, but it certainly does use a fixed source port.
--

David Terrell

dbt@meat.net

((meatspace)) http://meat.net/

Stuart Henderson already answered this question on misc@ (12:10 UTC,

today). Named is vulnerable. The resolver is not :)
--

Mathieu

On Thu, Jul 10, 2008 at 12:14 AM, Mathieu SEGAUD
I'm just finish re-read it right now. Thank you for the input and I

agree that at this moment, we will waiting for the latest official

update from OpenBSD developers.
And probably a minor update for those who are deploying it over

Debian. Looks like it is time to patch it.

http://www.debian.org/security/2008/dsa-1603
Have a nice day!
-zamri-