SuSE Update for bind SUSE-SA:2008:033

Impact
DNS cache poisoning
Solution
Please Install the Updated Packages.
Insight
The bind daemon is responsible for resolving hostnames in IP addresses and vice versa. The new version of bind uses a random transaction-ID (TRXID) and a random UDP source-port for DNS queries to address DNS cache poisoning attacks possible because of the &quot birthday paradox&quot and an attack discovered by Dan Kaminsky. Unfortunately we do not have details about Kaminsky's attack and have to trust the statement that a random UDP source-port is sufficient to stop it. DNS servers that do not support recursive queries or do not use a cache (authoritative only servers) are not vulnerable too. Update packages of bind9 for SLES8 will be available soon. The glibc stub resolver is known to be vulnerable too and we will publish updates as soon as possible. Note, a local attacker can always sniff DNS queries and generate spoofed responses easily. If you use the UDP source-port number of the DNS server in your firewall configuration, for example to let DNS queries through your packetfilter, then you have to take steps to adapt your filter rules to the new behavior of the DNS server.
Affected
bind on openSUSE 10.2, openSUSE 10.3, openSUSE 11.0, SUSE SLES 9, Novell Linux Desktop 9, Open Enterprise Server, Novell Linux POS 9, SUSE Linux Enterprise Desktop 10 SP1, SLE SDK 10 SP1, SLE SDK 10 SP2, SUSE Linux Enterprise Server 10 SP1, SUSE Linux Enterprise Desktop 10 SP2, SUSE Linux Enterprise Server 10 SP2
References