CVE-2012-1033

Publication date 8 February 2012

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.

Read the notes from the security team

Status

Package Ubuntu Release Status
bind9 12.04 LTS precise
Fixed 1:9.8.1.dfsg.P1-4ubuntu0.1
11.10 oneiric
Fixed 1:9.7.3.dfsg-1ubuntu4.2
11.04 natty
Fixed 1:9.7.3.dfsg-1ubuntu2.4
10.10 maverick Ignored end of life
10.04 LTS lucid
Fixed 1:9.7.0.dfsg.P1-1ubuntu0.5
8.04 LTS hardy
Fixed 1:9.4.2.dfsg.P2-2ubuntu0.10

Notes

mdeslaur

upstream advisory says they won't be releasing a fix for this dns-sec is the workaround. upstream apparently included the fix anyway: 3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884]

References

Related Ubuntu Security Notices (USN)

Other references