Hello community, here is the log from the commit of package bind checked in at Fri Nov 10 16:13:05 CET 2006. -------- --- bind/bind.changes 2006-10-17 20:39:53.000000000 +0200 +++ /mounts/work_src_done/STABLE/bind/bind.changes 2006-11-10 16:08:07.000000000 +0100 @@ -1,0 +2,8 @@ +Fri Nov 10 12:07:56 CET 2006 - ug@suse.de + +- security fix (#218303) + workarounds OpenSSL's recently + discovered RSA signature verification issue (CVE-2006-4339) by using + the exponent 65537 (0x10001) instead of the widely used 3. + +------------------------------------------------------------------- New: ---- bind-rsa.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.h3htlp/_old 2006-11-10 16:12:21.000000000 +0100 +++ /var/tmp/diff_new_pack.h3htlp/_new 2006-11-10 16:12:21.000000000 +0100 @@ -14,9 +14,9 @@ BuildRequires: openldap2 openldap2-devel Summary: Domain Name System (DNS) Server (named) Version: 9.3.2 -Release: 33 +Release: 42 %define SDB_LDAP_VERSION 1.0-beta -License: Other License(s), see package +License: GNU General Public License (GPL) - all versions, Other License(s), see package Group: Productivity/Networking/DNS/Servers Provides: dns_daemon bind8 bind9 Obsoletes: bind8 bind9 @@ -39,6 +39,7 @@ Patch52: named-bootconf.diff Patch53: nsupdate.8.diff Patch54: VU697164_VU915404.diff +Patch55: bind-rsa.patch %if %ul_version >= 1 %define VENDOR UL %else @@ -190,6 +191,7 @@ %patch52 %patch53 %patch54 +%patch55 # modify settings of some files regarding to OS version and vendor function replaceStrings() { @@ -650,6 +652,11 @@ %doc %{_mandir}/man5/idnrc.5.gz %changelog -n bind +* Fri Nov 10 2006 - ug@suse.de +- security fix (#218303) + workarounds OpenSSL's recently + discovered RSA signature verification issue (CVE-2006-4339) by using + the exponent 65537 (0x10001) instead of the widely used 3. * Tue Oct 17 2006 - poeml@suse.de - there is no SuSEconfig.syslog script anymore, thus remove the YaST hint from the sysconfig template ++++++ bind-rsa.patch ++++++ Security Fixes (BIND 9.3.2-P2): Change the default RSA exponent from 3 to 65537 which is not vulnerable to the attacks described in CVE-2006-4339. Index: lib/dns/opensslrsa_link.c --- lib/dns/opensslrsa_link.c.orig 2004-12-09 05:07:18 +0100 +++ lib/dns/opensslrsa_link.c 2006-11-04 09:58:32 +0100 @@ -39,6 +39,9 @@ #include <openssl/err.h> #include <openssl/objects.h> #include <openssl/rsa.h> +#if OPENSSL_VERSION_NUMBER > 0x00908000L +#include <openssl/bn.h> +#endif /* * XXXMPA Temporarially disable RSA_BLINDING as it requires @@ -260,13 +263,47 @@ static isc_result_t opensslrsa_generate(dst_key_t *key, int exp) { +#if OPENSSL_VERSION_NUMBER > 0x00908000L + BN_GENCB cb; + RSA *rsa = RSA_new(); + BIGNUM *e = BN_new(); + + if (rsa == NULL || e == NULL) + goto err; + + if (exp == 0) { + /* RSA_F4 0x10001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 16); + } else { + /* F5 0x100000001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 32); + } + + BN_GENCB_set_old(&cb, NULL, NULL); + + if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) { + BN_free(e); + SET_FLAGS(rsa); + key->opaque = rsa; + return (ISC_R_SUCCESS); + } + + err: + if (e != NULL) + BN_free(e); + if (rsa != NULL) + RSA_free(rsa); + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +#else RSA *rsa; unsigned long e; if (exp == 0) - e = RSA_3; - else e = RSA_F4; + else + e = 0x40000003; rsa = RSA_generate_key(key->key_size, e, NULL, NULL); if (rsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -274,6 +311,7 @@ key->opaque = rsa; return (ISC_R_SUCCESS); +#endif } static isc_boolean_t ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org