Rapid7 Vulnerability & Exploit Database

RHSA-2010:0976: bind security update

Back to Search

RHSA-2010:0976: bind security update



The Berkeley Internet Name Domain (BIND) is an implementation of the DomainName System (DNS) protocols. BIND includes a DNS server (named); a resolverlibrary (routines for applications to use when interfacing with DNS); andtools for verifying that the DNS server is operating correctly.It was discovered that named did not invalidate previously cached RRSIGrecords when adding an NCACHE record for the same entry to the cache. Aremote attacker allowed to send recursive DNS queries to named could usethis flaw to crash named. (CVE-2010-3613)A flaw was found in the DNSSEC validation code in named. If named hadmultiple trust anchors configured for a zone, a response to a request for arecord in that zone with a bad signature could cause named to crash.(CVE-2010-3762)It was discovered that, in certain cases, named did not properly performDNSSEC validation of an NS RRset for zones in the middle of a DNSKEYalgorithm rollover. This flaw could cause the validator to incorrectlydetermine that the zone is insecure and not protected by DNSSEC.(CVE-2010-3614)All BIND users are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. After installing theupdate, the BIND daemon (named) will be restarted automatically.


  • redhat-upgrade-bind
  • redhat-upgrade-bind-chroot
  • redhat-upgrade-bind-devel
  • redhat-upgrade-bind-libbind-devel
  • redhat-upgrade-bind-libs
  • redhat-upgrade-bind-sdb
  • redhat-upgrade-bind-utils
  • redhat-upgrade-caching-nameserver

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center