Mandriva Linux Security Advisory : bind (MDVSA-2009:037)

Medium Nessus Plugin ID 36346


The remote Mandriva Linux host is missing one or more security updates.


Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025.

In this particular case the DSA_verify function was fixed with MDVSA-2009:002, this update does however address the RSA_verify function (CVE-2009-0265).


Update the affected packages.

Plugin Details

Severity: Medium

ID: 36346

File Name: mandriva_MDVSA-2009-037.nasl

Version: $Revision: 1.16 $

Type: local

Published: 2009/04/23

Modified: 2016/02/25

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:bind, p-cpe:/a:mandriva:linux:bind-devel, p-cpe:/a:mandriva:linux:bind-doc, p-cpe:/a:mandriva:linux:bind-utils, cpe:/o:mandriva:linux:2008.0, cpe:/o:mandriva:linux:2008.1, cpe:/o:mandriva:linux:2009.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2009/02/16

Reference Information

CVE: CVE-2009-0265

BID: 33150

OSVDB: 53115

MDVSA: 2009:037

CWE: 287