-----  B a l a B i t   S e c u r i t y   A d v i s o r y   ( B B S A )  -----
PACKAGE             : bind9
AFFECTED VERSION    : <= 1:9.2.4-1.zorpos7
FIXED               : 1:9.2.4-1.zorpos8
SUMMARY             : cache poisoning regression
TYPE                : remote
AFFECTED            : ZorpOS 3.1
ZORP-OS SPECIFIC    : NO
BBSA-AUTHOR         : Tamás Pál <tamas.pal@balabit.hu>
BBSA-ID             : BBSA-2008-034
BBSA-ADDRESS        : advisory@balabit.hu
GNUPG FINGERPRINT   : 933E 6763 D32D A01C 1A75  F228 9CB1 81C7 D91E 8915
CVE                 : CVE-2008-1447
DATE                : Jul 25, 2008
-----------------------------------------------------------------------------

BACKGROUND:

  Backported patch to fix CVE-2008-1447 in the bind9 DNS server package was
  incomplete and the named server failed to randomize DNS transaction IDs and
  source ports. This update fixes the problem.

  We aplogize for the inconvenience.

SOLUTION:

  We recommend that you update the affected packages immediately.

  Upgrading using apt:
  ~~~~~~~~~~~~~~~~~~~~
  Add the following line to /etc/apt/sources.list (if it doesn't
  contain this line already)

  ZorpOS version 3.1:

    deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \
      zorp-os-3.1/3.1security zorp-os zorp-os-extra

  then issue the following commands as root:

  apt-get update

  apt-get -u upgrade

  The latest upgrades will be downloaded and installed.

REFERENCES:

  http://www.debian.org/security/2008/dsa-1603
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447