漏洞关键信息 Package: bind Vulnerability: buffer overflow vulnerability Affected Releases: OpenPKG 1.0 Affected Packages: = bind-8.2.6-1.0.1 Description Existing Vulnerability: According to CERT Advisory CA-2002-19, a buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Applications using these vulnerable DNS resolver libraries may be affected. Impact on OpenPKG bind Package: The included utilities dig, host, nslookup, and nsupdate are affected. The named server itself is not affected. Remote Attack Potential: A remote attacker could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system. An attack could be performed via a DNS response, bypassing any firewall. Solution Upgrade Steps: Select the updated source RPM appropriate for your OpenPKG release, fetch it from the OpenPKG FTP service or a mirror location, verify its integrity, build a corresponding binary RPM from it, and update your OpenPKG installation by applying the binary RPM. Specific Steps for Latest OpenPKG 1.0 Release: - Download the updated RPM. - Verify the source RPM. - Rebuild the source RPM. - Update the system with the new RPM. - Restart the bind service. References [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/bind-8.2.6-1.0.1.src.rpm [5] http://www.cert.org/advisories/CA-2002-19.html [6] ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc [7] http://www.isc.org/products/BIND/bind-security.html Additional Security Measures The advisory is digitally signed with the OpenPKG public key for verification.