8221971 2002-03-29 12:29 -0800 /86 rader/ <security@caldera.com> Sänt av: joel@lysator.liu.se Importerad: 2002-04-01 02:01 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: announce@lists.caldera.com Extern mottagare: security-alerts@linuxsecurity.com Mottagare: Bugtraq (import) <21653> Ärende: Security Update: [CSSA-2002-013.0] Linux: Name Service Cache Daemon (nscd) advisory ------------------------------------------------------------ From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com Message-ID: <20020329122945.M25454@caldera.com> To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: Name Service Cache Daemon (nscd) advisory Advisory number: CSSA-2002-013.0 Issue date: 2002, March 26 Cross reference: ______________________________________________________________________________ 1. Problem Description The Name Service Cache Daemon (nscd) has a default behavior that does not allow applications to validate DNS "PTR" records against "A" records. In particular, nscd caches a request for a "PTR" record, and when a request comes later for the "A" record, nscd simply divulges the information from the cached "PTR" record, instead of querying the authoritative DNS for the "A" record. 2. Vulnerable Supported Versions System Package ----------------------------------------------------------- OpenLinux Server 3.1 nscd OpenLinux Workstation 3.1 nscd OpenLinux Server 3.1.1 nscd OpenLinux Workstation 3.1.1 nscd 3. Solution Workaround Caldera recommends that this problem be worked around by disabling the hosts cache in the nscd configuration file: In /etc/nscd.conf, add the line enable-cache hosts no 4. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ 5. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 6. Acknowledgements Louis Imershein (louisi@caldera.com) discovered and researched this vulnerability. ______________________________________________________________________________ (8221971) / <security@caldera.com>/----------------- Bilaga (application/pgp-signature) i text 8221972 8221972 2002-03-29 12:29 -0800 /10 rader/ <security@caldera.com> Importerad: 2002-04-01 02:01 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: announce@lists.caldera.com Extern mottagare: security-alerts@linuxsecurity.com Mottagare: Bugtraq (import) <21654> Bilaga (text/plain) till text 8221971 Ärende: Bilaga till: Security Update: [CSSA-2002-013.0] Linux: Name Service Cache Daemon (nscd) advisory ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SCO_SV) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjykzrgACgkQbluZssSXDTH47gCfYZkzNgDcYGc+65j+om1mGMb2 o8oAnj4BfuM5gN0Bvdi381lK5GuibV4f =yKNW -----END PGP SIGNATURE----- (8221972) / <security@caldera.com>/-----------------