The Debian Hack Shop

In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447).
The fix, while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process running in the
named_t domain to bind sockets to UDP ports other than the standard ‘domain’
port (53).
The incompatibility affects both the ‘targeted’ and ’strict’ policy packages
supplied by this version of refpolicy.

Read the full story: DSA-1617 refpolicy – incompatible policy: http://www.debian.org/security/2008/dsa-1617

Tags: advisory, Debian, DSA, etch, Linux, Security, update

This entry was posted on Saturday, July 26th, 2008 at 2:16 am and is filed under Debian Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.