[Bug 324249] [NEW] [CVE-2009-0265] BIND 9 not properly checking the return value from OpenSSL EVP_VerifyFinal()

Alexander Konovalenko alexkon at gmail.com
Mon Feb 2 10:47:55 GMT 2009


*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: bind9

CVE-2009-0265 description:

"Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not
properly check the return value from the OpenSSL EVP_VerifyFinal
function, which allows remote attackers to bypass validation of the
certificate chain via a malformed SSL/TLS signature, a similar
vulnerability to CVE-2008-5077 and CVE-2009-0025."

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0265

CVE-2009-0025 has been fixed in USN-706-1. But this is a different
vulnerability according to the above description and it looks like it
hasn't been fixed yet.

** Affects: bind9 (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0265

-- 
[CVE-2009-0265] BIND 9 not properly checking the return value from OpenSSL EVP_VerifyFinal()
https://bugs.launchpad.net/bugs/324249
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in ubuntu.



More information about the Ubuntu-server-bugs mailing list