From owner-doc-jp-work@jp.FreeBSD.org Sat Nov 29 08:28:29 2003
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id hASNSTR77431;
	Sat, 29 Nov 2003 08:28:29 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp.eos.ocn.ne.jp (eos.ocn.ne.jp [211.6.83.117])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id hASNSTM77426
	for <doc-jp-work@jp.FreeBSD.org>; Sat, 29 Nov 2003 08:28:29 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from delta.allbsd.org (p59004-adsao12honb4-acca.tokyo.ocn.ne.jp [220.96.141.4])
	by smtp.eos.ocn.ne.jp (Postfix) with ESMTP id 7C7631556
	for <doc-jp-work@jp.FreeBSD.org>; Sat, 29 Nov 2003 08:28:28 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by delta.allbsd.org (8.12.9p2/8.12.9) with ESMTP id hASNSKAB002983
	for <doc-jp-work@jp.FreeBSD.org>; Sat, 29 Nov 2003 08:28:21 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Message-Id: <20031129.082801.78711568.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200311282248.hASMmn8M026422@freefall.freebsd.org>
References: <200311282248.hASMmn8M026422@freefall.freebsd.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Sat_Nov_29_08:28:01_2003_053)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Sat, 29 Nov 2003 08:28:01 +0900
X-Sequence: doc-jp-work 789
Subject: [doc-jp-work 789] Re: [FreeBSD-Announce] FreeBSD Security Advisory
 FreeBSD-SA-03:19.bind
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+031103

----Next_Part(Sat_Nov_29_08:28:01_2003_053)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 03:19 $B$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B

----Next_Part(Sat_Nov_29_08:28:01_2003_053)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="03:19"

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-03:19.bind (2003-11-28)
 * bind8 negative cache poison attack
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-03:19.bind
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Fri, 28 Nov 2003 14:48:49 -0800 (PST)
  Message-Id: <200311282248.hASMmng4026435@freefall.freebsd.org>
  X-Sequence: announce-jp xxx

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r$*$3$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-03:19.bind                                       Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:       bind8 $B$NH]Dj1~Ez%-%c%C%7%e$r0-MQ$7$?967b(B
                (bind8 negative cache poison attack)

$BJ,N`(B:           contrib
$B%b%8%e!<%k(B:     contrib_bind
$B9pCNF|(B:         2003-11-28
$B%/%l%8%C%H(B:     Internet Software Consortium
$B1F6AHO0O(B:       FreeBSD 4.9-RELEASE $B$+$i(B FreeBSD 5.1-RELEASE $B$^$G$N(B
                $B$9$Y$F$N(B FreeBSD $B%j%j!<%9(B
                $B=$@5F|$h$jA0$N(B 4-STABLE
$B=$@5F|(B:         2003-11-28 22:13:47 UTC (RELENG_4, 4.9-STABLE)
                2003-11-27 00:54:53 UTC (RELENG_5_1, 5.1-RELEASE-p11)
                2003-11-27 16:54:01 UTC (RELENG_5_0, 5.0-RELEASE-p19)
                2003-11-27 00:56:06 UTC (RELENG_4_9, 4.9-RELEASE-p1)
                2003-11-27 16:34:22 UTC (RELENG_4_8, 4.8-RELEASE-p14)
                2003-11-27 16:35:06 UTC (RELENG_4_7, 4.7-RELEASE-p24)
                2003-11-27 16:37:00 UTC (RELENG_4_6, 4.6.2-RELEASE-p27)
                2003-11-27 16:38:36 UTC (RELENG_4_5, 4.5-RELEASE-p37)
                2003-11-27 16:40:03 UTC (RELENG_4_4, 4.4-RELEASE-p47)
CVE Name:       CAN-2003-0914
FreeBSD $B$K8GM-$+(B:       NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

$B>e5-$N9`L\$d%;%-%e%j%F%#%V%i%s%A!"0J2<$N3F@a$D$$$F$N@bL@$J$I!"(B
FreeBSD $B%;%-%e%j%F%#4+9p$K$D$$$F$N0lHLE*$J>pJs$O!"(B
<URL:http://www.freebsd.org/security/> $B$r$4Mw$/$@$5$$!#(B


I.   $BGX7J(B - Background

BIND 8 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is the Internet domain name server.

BIND 8 $B$O%I%a%$%s%M!<%`%7%9%F%`(B (DNS) $B%W%m%H%3%k$N<BAu$N$R$H$D$G$9!#(B
named(8) $B%G!<%b%s$O!"$=$l$K4^$^$l$k%$%s%?!<%M%C%H%I%a%$%s%M!<%`%5!<%P$G$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

A programming error in BIND 8 named can result in a DNS message being
incorrectly cached as a negative response.

BIND 8 $B$N(B named $B$K$O!"$"$k(B DNS $B%a%C%;!<%8$r8m$C$FH]Dj1~Ez(B (negative
response) $B$H$7$F%-%c%C%7%e$K5-O?$7$F$7$^$&$H$$$&!"%W%m%0%i%`>e$N4V0c$$$,(B
$B4^$^$l$F$$$^$9!#(B


III. $B1F6AHO0O(B - Impact

An attacker may arrange for malicious DNS messages to be delivered
to a target name server, and cause that name server to cache a
negative response for some target domain name.  The name server would
thereafter respond negatively to legitimate queries for that domain
name, resulting in a denial-of-service for applications that require
DNS.  Almost all Internet applications require DNS, such as the Web,
email, and chat networks.

$B967b<T$O!"0-0U$N$"$k(B DNS $B%a%C%;!<%8$r:n@.$7$F967bBP>]$N%M!<%`%5!<%P$K(B
$BAw$j!"$=$N%5!<%P$K$*$$$F!"$=$N%a%C%;!<%8$rFCDj$N%I%a%$%sL>$KBP$9$k(B
$BH]Dj1~Ez$H$7$F%-%c%C%7%e$K5-O?$9$k$h$&;E8~$1$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B
$B967b$5$l$?%M!<%`%5!<%P$O$=$N8e!"FCDj$N%I%a%$%sL>$KBP$9$k@55,$NLd$$9g$o$;$K(B
$BH]Dj1~Ez$rJV$9$?$a!"$3$l$O(B DNS $B$rMxMQ$9$k%"%W%j%1!<%7%g%s$KBP$9$k(B
$B%5!<%S%9K832$H$J$j$^$9!#%&%'%V!"EE;R%a!<%k!"%A%c%C%H$J$I!"$[$H$s$I$N(B
$B%$%s%?!<%M%C%H%"%W%j%1!<%7%g%s$O(B DNS $B$rI,MW$H$7$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

No workaround is known.

$B2sHrJ}K!$O8+$D$+$C$F$$$^$;$s!#(B


V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$R$H$D$K=>$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to 4.9-STABLE; or to the RELENG_5_1,
RELENG_4_9, RELENG_4_8, or RELENG_4_7 security branch dated after the
correction date.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4.9-STABLE,
   $B$b$7$/$O=$@5F|0J9_$N(B RELENG_5_1, RELENG_4_9, RELENG_4_8, RELENG_4_7
   $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

[FreeBSD 4.9 and -STABLE systems]
[FreeBSD 4.9 $B$*$h$S(B -STABLE $B%7%9%F%`MQ(B]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch.asc

[FreeBSD 4.8 and 5.1 systems]
[FreeBSD 4.8 $B$*$h$S(B 5.1 $B%7%9%F%`MQ(B]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch.asc

[FreeBSD 4.4, 4.5, 4.6, 4.7, and 5.0 systems]
[FreeBSD 4.4, 4.5, 4.6, 4.7, 5.0 $B%7%9%F%`MQ(B]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbind
# make obj && make depend && make
# cd /usr/src/lib/libisc
# make obj && make depend && make
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# cd /usr/src/libexec/named-xfer
# make obj && make depend && make && make install

 ($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)

After upgrading or patching your system, you must restart named.
Execute the following command as root:

$B%7%9%F%`$K=$@5%Q%C%A$rE,MQ$7$?8e$O!"(Bnamed $B$r:F5/F0$9$kI,MW$,$"$j$^$9!#(B
root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$F$/$@$5$$!#(B

# ndc restart


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B


Branch                                                           Revision
$B%V%i%s%A(B                                                         $B%j%S%8%g%s(B
  Path
  $B%Q%9L>(B
- -------------------------------------------------------------------------
RELENG_4
  src/contrib/bind/CHANGES                                   1.1.1.7.2.11
  src/contrib/bind/README                                     1.1.1.7.2.9
  src/contrib/bind/Version                                   1.1.1.3.2.10
  src/contrib/bind/bin/named-xfer/named-xfer.c                    1.3.2.8
  src/contrib/bind/bin/named/Makefile                             1.3.2.6
  src/contrib/bind/bin/named/ns_init.c                        1.1.1.2.2.6
  src/contrib/bind/bin/named/ns_resp.c                       1.1.1.2.2.11
  src/contrib/bind/bin/nslookup/commands.l                        1.4.2.5
  src/contrib/bind/bin/nslookup/debug.c                           1.3.2.6
  src/contrib/bind/bin/nslookup/getinfo.c                         1.3.2.9
  src/contrib/bind/bin/nslookup/main.c                            1.3.2.7
  src/contrib/bind/doc/man/dig.1                                  1.3.2.4
  src/contrib/bind/doc/man/host.1                                 1.3.2.5
  src/contrib/bind/doc/man/nslookup.8                             1.2.2.5
  src/contrib/bind/port/freebsd/include/port_after.h              1.6.2.9
  src/contrib/bind/port/freebsd/include/port_before.h         1.1.1.2.2.6
RELENG_5_1
  src/UPDATING                                                 1.251.2.13
  src/sys/conf/newvers.sh                                       1.50.2.13
  src/contrib/bind/Version                                   1.1.1.11.2.1
  src/contrib/bind/bin/named/ns_resp.c                       1.1.1.11.2.1
RELENG_5_0
  src/UPDATING                                                 1.229.2.25
  src/sys/conf/newvers.sh                                       1.48.2.20
  src/contrib/bind/Version                                   1.1.1.10.2.1
  src/contrib/bind/bin/named/ns_resp.c                       1.1.1.10.2.1
RELENG_4_9
  src/UPDATING                                              1.73.2.89.2.2
  src/sys/conf/newvers.sh                                   1.44.2.32.2.2
  src/contrib/bind/Version                                1.1.1.3.2.9.2.1
  src/contrib/bind/bin/named/ns_resp.c                   1.1.1.2.2.10.2.1
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.16
  src/sys/conf/newvers.sh                                  1.44.2.29.2.15
  src/contrib/bind/Version                                1.1.1.3.2.8.2.1
  src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.9.2.1
RELENG_4_7
  src/UPDATING                                             1.73.2.74.2.27
  src/sys/conf/newvers.sh                                  1.44.2.26.2.26
  src/contrib/bind/Version                                1.1.1.3.2.7.2.1
  src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.7.2.2
RELENG_4_6
  src/UPDATING                                             1.73.2.68.2.56
  src/sys/conf/newvers.sh                                  1.44.2.23.2.44
  src/contrib/bind/Version                                1.1.1.3.2.6.2.2
  src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.6.2.3
RELENG_4_5
  src/UPDATING                                             1.73.2.50.2.54
  src/sys/conf/newvers.sh                                  1.44.2.20.2.38
  src/contrib/bind/Version                                1.1.1.3.2.4.4.2
  src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.4.4.3
RELENG_4_4
  src/UPDATING                                             1.73.2.43.2.55
  src/sys/conf/newvers.sh                                  1.44.2.17.2.46
  src/contrib/bind/Version                                1.1.1.3.2.4.2.2
  src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.4.2.3
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL:http://www.kb.cert.org/vuls/id/734644>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/03:19,v 1.3 2003/11/28 23:27:56 hrs Exp $

----Next_Part(Sat_Nov_29_08:28:01_2003_053)----
