Summary
The remote host is missing an update as announced
via advisory SSA:2006-310-01.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-310-01
Insight
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues. The minimum OpenSSL version was raised to OpenSSL 0.9.7l and OpenSSL 0.9.8d to avoid exposure to known security flaws in older versions (these patches were already issued for Slackware). If you have not upgraded yet, get those as well to prevent a potentially exploitable security problem in named.
In addition, the default RSA exponent was changed from 3 to 65537.
Both of these issues are essentially the same as ones discovered in OpenSSL at the end of September 2006, only now there's protection against compiling using the wrong OpenSSL version. RSA keys using exponent 3 (which was previously BIND's default) will need to be regenerated to protect against the forging of RRSIGs.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
Severity
Classification
-
CVE CVE-2006-4339 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Related Vulnerabilities