Internet Systems Consortium Security Advisory.
BIND 8: cryptographically weak DNS query IDs
27 August 2007

The CERT reference for this vulnerability and advisory is: CVE-2007-2930
VU#927905

Versions affected:
BIND 8.x.x (all versions)

I. Description

ISC (Internet Systems Consortium) BIND 8 generates cryptographically
weak DNS query IDs which could allow a remote attacker to poison DNS
caches.

This bug only affects outgoing queries, generated by BIND 8 to answer
questions as a resolver, or when it is looking up data for internal
uses, such as when sending NOTIFYs to slave name servers.

From the ISC Bind security page:

"The DNS query id generation is vulnerable to analysis which provides a
high chance of guessing the next query id. This can be used to perform
cache poisoning by an attacker."

All users are encouraged to upgrade.


II. Impact

A remote attacker could predict DNS query IDs and respond with arbitrary
answers, thus poisoning DNS caches.

III. Solution

Upgrade or Patch

This issue is addressed in ISC BIND 8.4.7-P1, available as patch that
can be applied to BIND 8.4.7.

The more definitive solution is to upgrade to BIND 9. BIND 8 is being
declared "end of life" by ISC due to multiple architectural issues.
Please see ISC's website at www.isc.org/sw/bind/bind8-eol.php for
additional information and tools.

Note that BIND 8.x.x is End of Life as of August 2007.

Users who obtain BIND 8 from their operating system vendor should see
the systems affected portion of this document for a partial list of
affected vendors.

Acknowledgments

Thanks to Amit Klein from Trusteer (www.trusteer.com) for
reporting this.
__________________

GNU PSPP 0.4.0.1 is now available at ftp.gnu.org:
ftp://ftp.gnu.org/pub/gnu/pspp/pspp-0.4.0.1.tar.gz

PSPP is a program for statistical analysis of sampled data. It
interprets commands in the SPSS language and produces tabular output
in ASCII, PostScript, or HTML format.

Compared to PSPP 0.4.0, only one change has been made in PSPP
0.4.0.1: the license has been upgraded from GPLv2 (or later) to
GPLv3 (or later). For substantial improvements over PSPP 0.4.0,
stay tuned for PSPP 0.6.0, which should be released within the
next few months, or try PSPP from CVS for a preview.
--
Ben Pfaff
blp@gnu.org


_______________________________________________
GNU Announcement mailing list <info-gnu@gnu.org>
http://lists.gnu.org/mailman/listinfo/info-gnu

GNU libavl 2.0.3 is now available from ftp.gnu.org. The source
distribution may be retrieved as:
ftp://ftp.gnu.org/pub/gnu/avl/avl-2.0.3.tar.gz
Pre-formatted copies of the libavl book in various formats are
also available:
ftp://ftp.gnu.org/pub/gnu/avl/avl-2.0.3.html.tar.gz
ftp://ftp.gnu.org/pub/gnu/avl/avl-2.0.3.pdf.gz
ftp://ftp.gnu.org/pub/gnu/avl/avl-2.0.3.text.gz

libavl is a library in ANSI/ISO C for the manipulation of binary trees
and balanced binary trees. libavl is written using a literate
programming system called TexiWEB. By way of TexiWEB, libavl is as
much a textbook on binary trees and balanced binary trees as it is a
collection of code.

Changes for version 2.0.3:

Previously, all of libavl was under GPL version 2. Now, the libavl
book is under the GNU Free Documentation License (version 1.2 or
later), the libraries under the GNU Lesser General Public License
(version 3 or later), and programs under the GNU General Public
License (version 3 or later). Refer to README for details.

Fix incompatibility between libavl and recent versions of Texinfo.
libavl now recommends Texinfo 4.8.

BST_MAX_HEIGHT, AVL_MAX_HEIGHT, RB_MAX_HEIGHT were fixed to use the
maximum, not minimum, height of a tree, and to have reasonable
values for 64-bit systems. The lower bound on the number of nodes
in an AVL tree was fixed also.

Fixed the spelling of referenced paper author Quentin Stout's name.

Fixed a few minor typographical problems.

Updated INSTALL to explain the intended use of libavl.

The PDF version of libavl is now generated with pdftex, instead of
using dvipdfm.

libavl now has a dedicated mailing list for reporting bugs:
bug-avl@gnu.org.

--
Ben Pfaff
http://benpfaff.org


_______________________________________________
GNU Announcement mailing list <info-gnu@gnu.org>
http://lists.gnu.org/mailman/listinfo/info-gnu

I have the pleasure to announce that the 0.0.8 version of Archimedes
has been released. Archimedes is the GNU package for 2D submicron and
nano semiconductor devices simulation.

It is now able to simulate both applied and self-generated magnetic
fields in a semiconductor device interacting with charged particles
dynamics, thanks to the implemented Faraday equation. New commands
have been implemented. Please, see the "test" directory for more
informations about them.

Please feel free to download this new version at the following links :

http://www.gnu.org/software/archimedes
http://ftp.gnu.org/gnu/archimedes/

Bien Amicalement

Jean Michel


---------------------------------------------------------------------------
support for Archimedes, the free Monte Carlo semiconductor device simulator
---------------------------------------------------------------------------

Archimedes is the GNU package for advanced semiconductor devices simulations.

Please remember that development of Archimedes is a volunteer effort, and you
can also contribute to its development. For information about contributing to
the Archimedes Project and/or requests of enhancements, please contact me at
the following addresses.

Author and maintainer
*********************
Jean Michel Sellier, PhD
via dei Narcisi 28,
Cassibile, Siracusa,
C.A.P. 96010, Italy
Mobile +39-349-8561049

Archimedes
**********
http://www.gnu.org/software/archimedes
http://www.southnovel.eu
http://www.archimedes.altervista.org/
http://www.nextnano.de/tools/archimedes.php


Contacts
********
sellier@dmi.unict.it
jeanmichel.sellier@nextnano.de
archimedes@nextnano.de
jeanmichel.sellier@gmail.com

---------------------------------------------------------------------------

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



_______________________________________________
GNU Announcement mailing list <info-gnu@gnu.org>
http://lists.gnu.org/mailman/listinfo/info-gnu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Apache XML Graphics team is pleased to announce the release of
Apache FOP version 0.94.

FOP (Formatting Objects Processor) is a print formatter driven by XSL
Formatting Objects [1] and an output independent formatter. It is a Java
application that reads a formatting object tree and renders the
resulting pages to a specified output. Output formats currently
supported include PDF, PS, PCL, AFP, Print and PNG.

[1] http://www.w3.org/TR/xsl11/

This is the second production-level release after the big re-design
effort. It includes many bug fixes and new features, the most important
being:
- - auto-detection of the fonts installed on the system; the XML metrics
generation is now optional;
- - support for the collapsing-border model in tables;
- - internal links in PDF now point to the exact location, and not to the
top of the page;
- - support for UAX#14 type line breaking. This annex of the Unicode
standard specifies rules for breaking text into lines depending on the
language used.

The complete list of changes is available at
http://xmlgraphics.apache.org/fop/0.94/changes_0.94.html

FOP 0.94 implements the XSL-FO 1.1 recommendation to a high degree of
compliance. See the compliance page for a detailed overview:
http://xmlgraphics.apache.org/fop/compliance.html

For download information, see the following page:
http://xmlgraphics.apache.org/fop/download.html

For the XML Graphics team,
Vincent Hennebert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGz0fNoHLU0ENYxYQRAjaFAKCCyMTZQusD72JauBMR5GR/CPplGgCcDCCq
trog+DwhMsrGg4NRo2f3vP8=
=hDdY
-----END PGP SIGNATURE-----