patch for named buffer overflow now available (fwd)
Date: Fri, 15 Nov 2002 09:25:46 +0100 (CET)
From: Jonas Eriksson <je@sekure.net>
To: bugtraq@securityfocus.com
Subject: patch for named buffer overflow now available (fwd)
---------- Forwarded message ----------
Date: Thu, 14 Nov 2002 19:12:41 -0700
From: Todd C. Miller <Todd.Miller@courtesan.com>
To: security-announce@openbsd.org
Subject: patch for named buffer overflow now available
A patch for the named buffer overflow is now available. The bug
could allow an attacker to execute code as the user that named runs
as. In the default OpenBSD named configuration, named runs as its
own, non-root, user in a chrooted jail. This lessens the impact
of the bug to the level of a denial of service. Anyone not running
named chrooted should start to do so immediately.
For more information on the bug, please see:
http://www.isc.org/products/BIND/bind-security.html
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
The fix has been committed to OpenBSD-current as well as to the
3.2, 3.1 and 3.0 -stable branches.
The following patches are also available for OpenBSD 3.2, 3.1 and 3.0
respectively:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/005_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/019_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/036_named.patch
