[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: BIND 9 bug involving DNSSEC and the additional section
From:       Florian Weimer <fw () deneb ! enyo ! de>
Date:       2009-11-24 15:23:40
Message-ID: 87ocmsosjn.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]

Fixed in BIND 9.6.1-P2, 9.5.2-P1 and 9.4.3-P4, per recent
announcements.

2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

The advisory at <https://www.isc.org/node/504> is rather unclear.  The
way it is written, one would assume that the in-bailiwick checks are
bypassed as well.  Is this really true?  (Based on a quick look at the
patch, this seems to happen only for secure domains, that is, you need
some trust anchors.)
[prev in list] [next in list] [prev in thread] [next in thread]