Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 1617-1 (refpolicy)
The remote host is missing an update to refpolicy
announced via advisory DSA 1617-1.

In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447). The fix,
while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process
running in the named_t domain to bind sockets to UDP ports other than
the standard 'domain' port (53). The incompatibility affects both
the 'targeted' and 'strict' policy packages supplied by this version
of refpolicy.

This update to the refpolicy packages grants the ability to bind to
arbitrary UDP ports to named_t processes. When installed, the
updated packages will attempt to update the bind policy module on
systems where it had been previously loaded and where the previous
version of refpolicy was 0.0.20061018-5 or below.

Because the Debian refpolicy packages are not yet designed with
policy module upgradeability in mind, and because SELinux-enabled
Debian systems often have some degree of site-specific policy
customization, it is difficult to assure that the new bind policy can
be successfully upgraded. To this end, the package upgrade will not
abort if the bind policy update fails. The new policy module can be
found at /usr/share/selinux/refpolicy-targeted/bind.pp after
installation. Administrators wishing to use the bind service policy
can reconcile any policy incompatibilities and install the upgrade
manually thereafter. A more detailed discussion of the corrective
procedure may be found here:

For the stable distribution (etch), this problem has been fixed in
version 0.0.20061018-5.1+etch1. The unstable distribution (sid) is
not affected, as subsequent refpolicy releases have incorporated an
analogous change.

We recommend that you upgrade your refpolicy packages.


CVSS Score:

CVSS Vector:

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-1447
BugTraq ID: 30131
Bugtraq: 20080808 New paper: An Illustrated Guide to the Kaminsky DNS Vulnerability (Google Search)
Bugtraq: 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. (Google Search)
Cert/CC Advisory: TA08-190A
Cert/CC Advisory: TA08-190B
Cert/CC Advisory: TA08-260A
CERT/CC vulnerability note: VU#800113
Cisco Security Advisory: 20080708 Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
Debian Security Information: DSA-1603 (Google Search)
Debian Security Information: DSA-1604 (Google Search)
Debian Security Information: DSA-1605 (Google Search)
Debian Security Information: DSA-1619 (Google Search)
Debian Security Information: DSA-1623 (Google Search)
FreeBSD Security Advisory: FreeBSD-SA-08:06
HPdes Security Advisory: HPSBMP02404
HPdes Security Advisory: HPSBNS02405
HPdes Security Advisory: HPSBOV02357
HPdes Security Advisory: HPSBOV03226
HPdes Security Advisory: HPSBTU02358
HPdes Security Advisory: HPSBUX02351
HPdes Security Advisory: SSRT071449
HPdes Security Advisory: SSRT080058
HPdes Security Advisory: SSRT090014
HPdes Security Advisory: SSRT101004
Microsoft Security Bulletin: MS08-037
NETBSD Security Advisory: NetBSD-SA2008-009
OpenBSD Security Advisory: [4.2] 013: SECURITY FIX: July 23, 2008
OpenBSD Security Advisory: [4.3] 004: SECURITY FIX: July 23, 2008
RedHat Security Advisories: RHSA-2008:0533
SuSE Security Announcement: SUSE-SA:2008:033 (Google Search)
SuSE Security Announcement: SUSE-SR:2008:017 (Google Search)
XForce ISS Database: cisco-multiple-dns-cache-poisoning(43637)
XForce ISS Database: win-dns-client-server-spoofing(43334)
CopyrightCopyright (c) 2008 E-Soft Inc.

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

© 1998-2023 E-Soft Inc. All rights reserved.