Product: Solaris 9 Operating System Solaris 10 Operating System OpenSolaris
An insufficient validation vulnerability in named(1m) due to incorrectly processing the return value of OpenSSL library functions "EVP_VerifyFinal()" and "DSA_do_verify()" may allow a remote unprivileged user to trick named(1m) into believing DNSSEC signatures that should not have passed validation, and subsequently forge DNS responses and redirect Internet services.
Sun acknowledges with thanks, Google Security Team (for the original OpenSSL issue), Florian Weimer for spotting that BIND was vulnerable and the ISC for for bringing this issue to our attention.
This issue is also referenced in the following documents:
First released: 27-Jan-2009