When XHA was configured, iptables rules were configured in
/usr/local/bluecat/firewall_rules/localHAFirewallConfig to
permit 694/udp to and from the peer node on each appliance.
However, these rules have no effect due to the rules
mentioned above. And they are also incorrect because they
specify source port 694/udp, and the heartbeat packets we
observed do not use a fixed source port.
One possible workaround which may be used to temporarily
prevent the attack is to comment out the 694/udp rules in
the firewall startup script then repair the rules in
exhaustion in rexml.
CVE-2008-3905
Tanaka Akira discovered that the resolv module uses sequential
transaction IDs and a fixed source port for DNS queries, which
makes it more vulnerable to DNS spoofing attacks.
For the stable distribution (etch), these problems have been fixed in
version 1.8.5-4etch3. Packages for arm will be provided later.
Two denial of service conditions were discovered in avahi, a Multicast
DNS implementation.
Huge Dias discovered that the avahi daemon aborts with an assert error
if it encounters a UDP packet with source port 0 (CVE-2008-5081).
It was discovered that the avahi daemon aborts with an assert error if
it receives an empty TXT record over D-Bus (CVE-2007-3372).
For the stable distribution (etch), these problems have been fixed in
