Some exploitable logic errors have been found in the bind nameserver's
use of OpenSSL DSA verification functions. These errors may permit an
attacker to bypass validation of DSA DNSSEC signatures.
This vulnerability has been designated CVE-2009-0025. More information
is available from the ISC at:
https://www.isc.org/node/373Source code patches are available for OpenBSD 4.3 and 4.4. -current has
had an identical fix applied.
Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/008_bind.patch
Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch
These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.
