Mandriva Linux Security Advisory : bind (MDVSA-2009:037)

medium Nessus Plugin ID 36346

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025.

In this particular case the DSA_verify function was fixed with MDVSA-2009:002, this update does however address the RSA_verify function (CVE-2009-0265).

Solution

Update the affected packages.

Plugin Details

Severity: Medium

ID: 36346

File Name: mandriva_MDVSA-2009-037.nasl

Version: 1.20

Type: local

Published: 4/23/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:bind, p-cpe:/a:mandriva:linux:bind-devel, p-cpe:/a:mandriva:linux:bind-doc, p-cpe:/a:mandriva:linux:bind-utils, cpe:/o:mandriva:linux:2008.0, cpe:/o:mandriva:linux:2008.1, cpe:/o:mandriva:linux:2009.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/16/2009

Reference Information

CVE: CVE-2009-0265

BID: 33150

CWE: 287

MDVSA: 2009:037