Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454852 - Default caching-nameserver configuration blocks fixes for CVE-2008-1447 (rhel-5)
Summary: Default caching-nameserver configuration blocks fixes for CVE-2008-1447 (rhel-5)
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bind
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Adam Tkac
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-10 07:46 UTC by Nigel Metheringham
Modified: 2013-04-30 23:40 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-07-10 19:58:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0533 normal SHIPPED_LIVE Important: bind security update 2008-07-10 19:53:01 UTC

Description Nigel Metheringham 2008-07-10 07:46:42 UTC
CVE-2008-1447 mitigation requires that the source port for DNS queries
is randomized to make an attack more difficult.

The caching name server config file contains the following lines near
the top:-
   options {
        query-source    port 53;
        query-source-v6 port 53;
        allow-query     { localhost; };

The query-source directives prevent the randomization of sender port.

This causes warnings to be produced in the log file.

Version-Release number of selected component (if applicable):
  Version     : 9.3.4
  Release     : 6.0.1.P1.el5_2

Comment 1 Tomas Hoger 2008-07-10 08:11:53 UTC
caching-nameserver is built from bind source RPM in Red Hat Enterprise Linux 5
-> moving to proper component.

Comment 4 Adam Tkac 2008-07-10 10:06:41 UTC
You are right. Btw that options were in configuration file since 5.0 but it is
far more better to drop them. Thanks for your report

Comment 6 Mark J. Cox 2008-07-10 11:26:27 UTC
We plan to reissue the RHEL 5.0 packages to include a fix for this issue.  We
are treating this as an emergency exception, and the packages will be released
as soon as they have cleared our standard QE and release processes.

Comment 9 Mark J. Cox 2008-07-10 19:58:08 UTC
[Updated 10th July 2008]
We have updated the Enterprise Linux 5 BIND packages. The
default and sample caching-nameserver configuration files have been updated
so that they do not specify a fixed query-source port. Administrators
wishing to take advantage of randomized UDP source ports should check their
configuration file to ensure they have not specified fixed query-source ports.

Note You need to log in before you can comment on or make changes to this bug.