On Thu, Jul 10, 2008 at 12:14 AM, Mathieu SEGAUD

 wrote:

quoted text
> Vous m'avez dit ricemment :

>

>> On Wed, Jul 09, 2008 at 04:52:39PM +0200, Mathieu SEGAUD wrote:

>>> Vous m'avez dit ricemment :

>>>

>>> > Good morning,

>>> >

>>> > Today, I'm received alert from one of my friends regarding to

>>> > Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable

>>> > to cache poisoning.

>>> > http://www.kb.cert.org/vuls/id/800113

>>> >

>>> > I checked the above site, and found that most of the *BSD status are

>>> > unknown. Is this bug affected OpenBSD default bind dns?

>>>

>>> OpenBSD's named is affected.

>>> It is a flow in the DNS protocol, which means potentially *all*

>>> implementations are affected...

>>

>> Credit where credit is due: djbdns isn't.

>

> good to know. thanks. thus "potentially"

>

>> Without specifics on the issue, I can't tell if OpenBSD's bind is truly

>> vulnerable, but it certainly does use a fixed source port.

>

> Stuart Henderson already answered this question on misc@ (12:10 UTC,

> today). Named is vulnerable. The resolver is not :)

>

> --

> Mathieu

>

>

I'm just finish re-read it right now. Thank you for the input and I

agree that at this moment, we will waiting for the latest official

update from OpenBSD developers.
And probably a minor update for those who are deploying it over

Debian. Looks like it is time to patch it.

http://www.debian.org/security/2008/dsa-1603
Have a nice day!
-zamri-