dns caches posioned

Thanks for the report. The bind9 in dapper should contain all security fixes from later releases. Do you have any other details about the situation you've been seeing?

Sorry it took so long to get back to you.

I will have to dig up version numbers. But basically we had machines
with the most recent Ubuntu 6.06 DNS/Bind package running. And they
were poisoned. The machines were not breached, the systems were fine,
just DNS/Bind were filled with incorrect DNS information (poisioned).

When investigating the issue we noticed there was an updated version of
ISC DNS Bind that was not incorporated into the most recent Ubuntu 6.06
DNS Bind package.

This is the package I had installed,

bdolango@dnscache1:~$ sudo apt-cache showpkg bind9
Package: bind9
Versions:
1:9.3.2-2ubuntu1.3(/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_dapper-updates_main_binary-i386_Packages)(/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_dapper-security_main_binary-i386_Packages)(/var/lib/dpkg/status)
1:9.3.2-2ubuntu1(/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_dapper_main_binary-i386_Packages)

Reverse Depends:
  gforge-dns-bind9,bind9
  dnsutils,bind9 1:9.1.0-3
  ultrapossum-dnsbalance,bind9
  resolvconf,bind9 1:9.2.1-7
  meta-ul-server-base,bind9
  ldap2dns,bind9
  gforge-dns-bind9,bind9
  education-main-server,bind9
  dnscvsutil,bind9
  dhis-tools-dns,bind9
  dhis-dns-engine,bind9
  autodns-dhcp,bind9
  dnsutils,bind9 1:9.1.0-3
Dependencies:
1:9.3.2-2ubuntu1.3 - libbind9-0 (0 (null)) libc6 (2 2.3.4-1) libdns21 (0
(null)) libisc11 (0 (null)) libisccc0 (0 (null)) libisccfg1 (0 (null))
liblwres9 (0 (null)) libssl0.9.8 (2 0.9.8a-1) netbase (0 (null)) adduser
(0 (null)) libdns21 (5 1:9.3.2-2ubuntu1.3) libisccfg1 (5
1:9.3.2-2ubuntu1.3) libisc11 (5 1:9.3.2-2ubuntu1.3) libisccc0 (5
1:9.3.2-2ubuntu1.3) lsb-base (2 3.0-6) dnsutils (0 (null)) bind9-doc (0
(null)) bind (0 (null)) bind (0 (null)) dnsutils (3 1:9.1.0-3)
1:9.3.2-2ubuntu1 - libbind9-0 (0 (null)) libc6 (2 2.3.4-1) libdns21 (0
(null)) libisc11 (0 (null)) libisccc0 (0 (null)) libisccfg1 (0 (null))
liblwres9 (0 (null)) libssl0.9.8 (2 0.9.8a-1) netbase (0 (null)) adduser
(0 (null)) libdns21 (5 1:9.3.2-2ubuntu1) libisccfg1 (5 1:9.3.2-2ubuntu1)
libisc11 (5 1:9.3.2-2ubuntu1) libisccc0 (5 1:9.3.2-2ubuntu1) lsb-base (2
3.0-6) dnsutils (0 (null)) bind9-doc (0 (null)) bind (0 (null)) bind (0
(null)) dnsutils (3 1:9.1.0-3)
Provides:
1:9.3.2-2ubuntu1.3 -
1:9.3.2-2ubuntu1 -
Reverse Provides:

The version I installed from ISC is 9.4.2

==>brian.

On Tue, 2008-03-11 at 15:25 +0000, Kees Cook wrote:
> Thanks for the report. The bind9 in dapper should contain all security
> fixes from later releases. Do you have any other details about the
> situation you've been seeing?
>
> ** Changed in: bind9 (Ubuntu)
> Status: Triaged => Incomplete
>

> When investigating the issue we noticed there was an updated version of
> ISC DNS Bind that was not incorporated into the most recent Ubuntu 6.06
> DNS Bind package.

If you mean bind 9.4.2, that is in 8.04/hardy. However any security fixes that are found in 9.4.2 should have also been incorporated in uploads to dapper (by backporting the fix into 9.3.2).

lamont

I am going to mark this as Invalid. Bind9 in Ubuntu 6.06 LTS is fully patched based on upstream and known vulnerabilities. Please reopen if this is found to be in error along with information on how to reproduce the poisoning. Thanks!