[Bug 324249] [NEW] [CVE-2009-0265] BIND 9 not properly checking the return value from OpenSSL EVP_VerifyFinal()
Alexander Konovalenko
alexkon at gmail.com
Mon Feb 2 10:47:55 GMT 2009
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: bind9
CVE-2009-0265 description:
"Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not
properly check the return value from the OpenSSL EVP_VerifyFinal
function, which allows remote attackers to bypass validation of the
certificate chain via a malformed SSL/TLS signature, a similar
vulnerability to CVE-2008-5077 and CVE-2009-0025."
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0265
CVE-2009-0025 has been fixed in USN-706-1. But this is a different
vulnerability according to the above description and it looks like it
hasn't been fixed yet.
** Affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0265
--
[CVE-2009-0265] BIND 9 not properly checking the return value from OpenSSL EVP_VerifyFinal()
https://bugs.launchpad.net/bugs/324249
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list