Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

ISC BIND 9.4.3-P4 is now available

3 views

Skip to first unread message

Evan Hunt

unread,

Nov 24, 2009, 10:24:04 AM11/24/09

to bind-...@isc.org

BIND 9.4.3-P4 is now available.

BIND 9.4.3-P4 is a SECURITY PATCH for BIND 9.4.3. It addresses a
potential cache poisoning vulnerability, in which data in the additional
section of a response could be cached without proper DNSSEC validation.

Bugs should be reported to bind9...@isc.org.

BIND 9.4.3-P4 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz

PGP signatures of the distribution are at:

ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz.sha512.asc

The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip

PGP signatures of the binary kit are at:

ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip.sha512.asc

Changes since 9.4.3-P3:

2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.

Mike Bernhardt

unread,

Nov 30, 2009, 2:19:44 PM11/30/09

to bind-...@isc.org

Dumb question perhaps, but does this patch serve any purpose if one is not
using DNSSEC?

Kevin Oberman

unread,

Nov 30, 2009, 2:29:31 PM11/30/09

to Mike Bernhardt, bind-...@isc.org

> From: "Mike Bernhardt" <bern...@bart.gov>
> Date: Mon, 30 Nov 2009 11:19:44 -0800
> Sender: bind-user...@lists.isc.org

>
> Dumb question perhaps, but does this patch serve any purpose if one is not
> using DNSSEC?

Dumb answer: looks like it only effects you if you are doing
validation. If you sign your data without enabling validation, it does
nothing, as far as I can tell.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: obe...@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

0 new messages