Articles / Debian: New bind9 packages …

Debian: New bind9 packages fix cache poisoning

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult. Fixed packages are available from
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1603-1                                   Florian Weimer
July 08, 2008               
- ------------------------------------------------------------------------

Package        : bind9
Vulnerability  : DNS cache poisoning
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-1447
CERT advisory  : VU#800113

Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks.  Among other things,
successful attacks can lead to misdirected web traffic and email

This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization.  This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.

Note that this security update changes BIND network behavior in a
fundamental way, and the following steps are recommended to ensure a
smooth upgrade.

1. Make sure that your network configuration is compatible with source
port randomization.  If you guard your resolver with a stateless packet
filter, you may need to make sure that no non-DNS services listen on on
the 1024--65535 UDP port range and open it at the packet filter.  For
instance, packet filters based on etch's Linux 2.6.18 kernel only
support stateless filtering of IPv6 packets, and are therefore pose this
additional difficulty.  (If you use IPv4 with iptables and ESTABLISHED
rules, networking changes are likely not required.)

2. Install the BIND 9 upgrade, using "apt-get update" followed by
"apt-get install bind9".  Verify that the named process has been
restarted and answers recursive queries.  (If all queries result in
timeouts, this indicates that networking changes are necessary; see the
first step.)

3. Verify that source port randomization is active.  Check that the
/var/log/daemon.log file does not contain messages of the following

 named[6106]: /etc/bind/named.conf.options:28: using specific
   query-source port suppresses port randomization and can be insecure.

right after the "listening on IPv6 interface" and "listening on IPv4
interface" messages logged by BIND upon startup.  If these messages are
present, you should remove the indicated lines from the configuration,
or replace the port numbers contained within them with "*" sign (e.g.,
replace "port 53" with "port *").

For additional certainty, use tcpdump or some other network monitoring
tool to check for varying UDP source ports.  If there is a NAT device
in front of your resolver, make sure that it does not defeat the
effect of source port randomization.

4. If you cannot activate source port randomization, consider
configuring BIND 9 to forward queries to a resolver which can, possibly
over a VPN such as OpenVPN to create the necessary trusted network link.
(Use BIND's forward-only mode in this case.)

Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
Unbound) already employ source port randomization, and no updated
packages are needed.  BIND 9.5 up to and including version
1:9.5.0.dfsg-4 only implements a weak form of source port
randomization and needs to be updated as well.  For information on
BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
see DSA-1605-1.

The updated bind9 packages contain changes originally scheduled for
the next stable point release, including the changed IP address of
L.ROOT-SERVERS.NET (Debian bug #449148).

For the stable distribution (etch), this problem has been fixed in
version 9.3.4-2etch3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your bind9 package.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:
   Size/MD5 checksum:      897 aeb15f8babb1e6e38367b9f19fea87da
   Size/MD5 checksum:  4043577 198181d47c58a0a9c0265862cd5557b0
   Size/MD5 checksum:   302126 521abea46b1104f2251cc398f30af303

Architecture independent packages:
   Size/MD5 checksum:   189560 46ff778db82d2e171d292ecac93ea9b6

alpha architecture (DEC Alpha)
   Size/MD5 checksum:    98154 bbdbcd3d0840f5ffcf4eaddf5a8c253f
   Size/MD5 checksum:  1407380 ca8995875e76a25de6f32a47f62ea876
   Size/MD5 checksum:   226088 93100774ae6da891caf9fa27a2134cdf
   Size/MD5 checksum:   112616 bca5dcca8abff15f4f9cc911f9f94818
   Size/MD5 checksum:   322286 677fdcf8e9a8c272a08ed47a79e09209
   Size/MD5 checksum:   190084 87d64554a1cdde9f58cc850f7d5961a1
   Size/MD5 checksum:    96508 48ba9fc0e884f093e95988bd4e088b9c
   Size/MD5 checksum:   564862 7b23948d7c741d4f287698d28385ce71
   Size/MD5 checksum:   188742 5dd8024a9864137f4529785fcc9c9231
   Size/MD5 checksum:   116534 2e7dc9ea95bae40dc396ff504abb03bb
   Size/MD5 checksum:   115784 b961fd6c797a2d1422ae588bfc25ed9d

amd64 architecture (AMD x86_64 (AMD64))
   Size/MD5 checksum:   224294 4d33744bb92300b061cad41dd8de7ea5
   Size/MD5 checksum:  1111932 e43ced7eae496d7835247a068bef4a66
   Size/MD5 checksum:   190742 9e39ced5d3464594b9dda6ce683fc653
   Size/MD5 checksum:   319008 e36a35983ebc5061e8669ef7f004a851
   Size/MD5 checksum:   552414 c93c2863bddd5661010ae3472e210aa8
   Size/MD5 checksum:    95922 f114eb76add0d7dabad1d082d38ccf08
   Size/MD5 checksum:   117072 a70d1d96ea01aa24fb9642e09133824f
   Size/MD5 checksum:   187646 70372cec3522356dcd00901ea64714d4
   Size/MD5 checksum:   111270 6dc6edfcca9fecb28c7e66d31ab14a74
   Size/MD5 checksum:   114722 905d0f9b7b5ebc0308c54158e71d03cc
   Size/MD5 checksum:    96704 09d3c850f12a6c1f6eab4e800a118c87

arm architecture (ARM)
   Size/MD5 checksum:   107888 b2ea4933e233a1af8dd1e5ee641999a2
   Size/MD5 checksum:   112714 27b1fde9b144cacb1ae06a441d7c5787
   Size/MD5 checksum:   116076 cafc3294083de02518ab5fe0f0488c3b
   Size/MD5 checksum:   532206 a005bdff779fed950e4750231d0184b2
   Size/MD5 checksum:   187364 72fdca60a20876be71b678028cefc316
   Size/MD5 checksum:    95752 bce98b259a2821d59f6e6b441b491d77
   Size/MD5 checksum:   182950 26a15d51a4e6f1ea1dda99ab4d3ea34c
   Size/MD5 checksum:   217686 97f538e27ab7c765b514a9ce59869a41
   Size/MD5 checksum:    95168 374d7f18915fc8eb6b775d272cf28f2e
   Size/MD5 checksum:  1074498 fdada51888027e9c3e89961b31a48ded
   Size/MD5 checksum:   311078 43d1c044b0cc81b072b8962ad3b8f019

hppa architecture (HP PA RISC)
   Size/MD5 checksum:    96986 bba6d0a611b7088e284564b430f91405
   Size/MD5 checksum:    97140 14f3dacd102208700660873637dea18b
   Size/MD5 checksum:   185570 012eb78b091c0991988a95160df7d65d
   Size/MD5 checksum:   115822 d717418b7ec770e5419e0941670eab19
   Size/MD5 checksum:   543342 201331119c074430d503b68dc210e187
   Size/MD5 checksum:  1258146 2f092d0708338d0a3ac8924218fee0d7
   Size/MD5 checksum:   315070 bc8d94bec7b1c8cf80f64fb72d1f38e5
   Size/MD5 checksum:   187942 1cd85afac13850d1807a5b50b9d3262f
   Size/MD5 checksum:   114612 912dc2007ca7cb6097a3e6a4e98897e3
   Size/MD5 checksum:   217378 49276452262a155ba17db2ad8c66e3e2
   Size/MD5 checksum:   113466 428d268ce8ad5386c1af758ca4cff2ce

i386 architecture (Intel ia32)
   Size/MD5 checksum:   106034 ce4d4a024472317185d4c6492b7d30df
   Size/MD5 checksum:   180292 1fd02a86a31b68a8db2407904495a0db
   Size/MD5 checksum:    94838 9dbc2734dd8b8bb7c3e7684faabea64e
   Size/MD5 checksum:   206330 a22fb6cb47d6e449007d665b9e6d8c52
   Size/MD5 checksum:   113162 b9bc5fa7f96313235a53ab6fd819b58b
   Size/MD5 checksum:   472708 9edfb07c186a93aea1a2e602e0ee6335
   Size/MD5 checksum:    94822 d2fc00416dc090a535b280f48eee7f46
   Size/MD5 checksum:   169930 47c43c9738afb7ed72618930dc702ed3
   Size/MD5 checksum:   296722 dd1979969210386fc36d119e19e12cc2
   Size/MD5 checksum:   996528 56db22ee21e053443e72ccd11a25181b
   Size/MD5 checksum:   110134 5491e4e33e43f1300840b62947690b7a

ia64 architecture (Intel ia64)
   Size/MD5 checksum:   232052 eb9215cb2ba71ded815b4ca6f0ac0744
   Size/MD5 checksum:    99978 ceee4c1dc16fdf2d7fefe1aee6d8dd85
   Size/MD5 checksum:   393324 553b67ca638482db8e1586d231f03abe
   Size/MD5 checksum:   740264 a30c98b25296a147d47d7f44c8418883
   Size/MD5 checksum:   127606 33d62368c2ce437e660708eb6b0ffe2b
   Size/MD5 checksum:   216344 0a0b33f34dbeb744bd8af8ad8388048f
   Size/MD5 checksum:   125806 3aafce71b9e4ecaf01602c409a355b54
   Size/MD5 checksum:  1584302 d982b4443c38056cdeb80b327ee36f3a
   Size/MD5 checksum:   117782 ae8ae735a8054ff473d305b06c90c68a
   Size/MD5 checksum:   102432 4443f6e43cc1e4c7448965a0501bfe54
   Size/MD5 checksum:   280866 c20244c3a06177b934ac804b382b85c7

mips architecture (MIPS (Big Endian))
   Size/MD5 checksum:   174012 cf61e15aa7c79b40ae94a3c1d08ba496
   Size/MD5 checksum:   301476 4094fd919da162322ea07d62378cc664
   Size/MD5 checksum:   110326 be73e626902012ca986d4192804017e7
   Size/MD5 checksum:   180490 dde7f37a0a2456190461f5f26bf30ab6
   Size/MD5 checksum:  1229398 37af92bf5074d9a260fd4ff5346dc4b8
   Size/MD5 checksum:   211386 8083484e19ebc9099022954350c6baf7
   Size/MD5 checksum:    94992 46f858e2ed33a864539476d25bd9b44f
   Size/MD5 checksum:    94230 6bfa6b8d78c46567a341f6174f9aa874
   Size/MD5 checksum:   491862 fc2d747a29c0116da5936b4964ef8146
   Size/MD5 checksum:   113268 58fb17d2ee0415e13fdad4727534b6cc
   Size/MD5 checksum:   107912 5834642a56bb9548510f8cd0a3ae766f

mipsel architecture (MIPS (Little Endian))
   Size/MD5 checksum:   299514 0b5de102f7ddf83d497498b320613556
   Size/MD5 checksum:   488260 7b85b99ea5c24f74e531bbd9056672e9
   Size/MD5 checksum:  1205384 a3211957988d4aaae40776ff41cf6a01
   Size/MD5 checksum:   113016 dddd0a37c778cd68696318a7adc1abcd
   Size/MD5 checksum:   110254 6754bc57fcac807b5569531f7e821802
   Size/MD5 checksum:   174148 23e91bbb42a44ca80535079660813277
   Size/MD5 checksum:   179630 fa26c51aa248cb502ac54544bdd6ced0
   Size/MD5 checksum:   210904 21784fc7019a384e78ecc94a10f4e315
   Size/MD5 checksum:    94936 2068abe2f2e78675ad94ea28579efc87
   Size/MD5 checksum:   107166 2cfce41a4fc41aa9986cdef01e09705d
   Size/MD5 checksum:    94098 c95a157cfa3feef62450afdef3fe65a8

powerpc architecture (PowerPC)
   Size/MD5 checksum:   173606 9618a781d59f94f751e18db86cf6b948
   Size/MD5 checksum:   112276 e786724068250eb53c475a3e51035d51
   Size/MD5 checksum:   113842 4961da1e75c17f3f00621acfc06d10fe
   Size/MD5 checksum:   488428 b777fc3fe13b319817f955f116b40e83
   Size/MD5 checksum:  1167832 75f402f7bf328da5deee364f4266558d
   Size/MD5 checksum:    96204 57ec688c7f24161e347054dc93fbd757
   Size/MD5 checksum:    96170 77d5b9189a05f2b3dca7901bff6e56df
   Size/MD5 checksum:   301276 dddf71278c1f4afbbc49019248f4328e
   Size/MD5 checksum:   109288 8fd2b3005fcf95e3616ec8a77b3ad322
   Size/MD5 checksum:   183310 b9eb85b58aaf29a3106d16410c0d379a
   Size/MD5 checksum:   206830 b286690dde8d1412c2de3fa99f7d3c5b

s390 architecture (IBM S/390)
   Size/MD5 checksum:   114234 23a30b0e26db0210a1be48c4d44b6d7f
   Size/MD5 checksum:   331864 7c3fab929f1e29873ecfc7c7c4b52ddc
   Size/MD5 checksum:   116656 8abeeeb22e800f63e4b30e0c2dd974e0
   Size/MD5 checksum:  1137342 820a17acdc24ef1dd0c1db7b8e6fc470
   Size/MD5 checksum:   233948 635487d4e6ea4d15704bb14b8cf9236c
   Size/MD5 checksum:   196598 2198086ee8c358aa3ed5046708a31f45
   Size/MD5 checksum:   194704 c897d956b11161ae8e31e4bffb489883
   Size/MD5 checksum:   118140 e5e11d59852a32dcd1b78b4aabd22fff
   Size/MD5 checksum:    95664 050d558c3d06e520fb4e6c6cebd520c3
   Size/MD5 checksum:   579484 6fc80f5cde0c2d01b49ae53f027eeecc
   Size/MD5 checksum:    97786 5dda64259aa80e1c2e085e7fc2430299

sparc architecture (Sun SPARC/UltraSPARC)
   Size/MD5 checksum:   300090 21095a9477d8db8bdbca300235ddc296
   Size/MD5 checksum:   210606 8bd074b427b5f732c5584ca265bb2c28
   Size/MD5 checksum:  1121664 2750abf3a8e3ffa54d1b15f6a5b6738e
   Size/MD5 checksum:    94822 4e2634cf2561a237174a6863377b24cd
   Size/MD5 checksum:   175248 4231a2791083fc82977535613d38ef2a
   Size/MD5 checksum:   184036 aea98952994fb97c74df02ae4ed2f28d
   Size/MD5 checksum:   107574 b6a3a3204c134d54dce2d8d79f77f647
   Size/MD5 checksum:   493628 b5c5a9638091fd0d6543a405bfdefd53
   Size/MD5 checksum:    94828 4657a6a42f7f2fac5ef96d273e9de4df
   Size/MD5 checksum:   114258 32f88744a6e6e648377dda42ff910cbb
   Size/MD5 checksum:   111158 a59dbf1edb5518b09b2993049922c01a

 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show ' and
Version: GnuPG v1.4.6 (GNU/Linux)


Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.


Project Spotlight


An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.