| Summary: | <net-dns/bind-9.10.2_p4: Multiple DoS vulnerabilities (CVE-2015-{5722,5986}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Vlad K. <vk-gentoo-bugs> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | hanno, idl0r, luke |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://seclists.org/oss-sec/2015/q3/483 | ||
| Whiteboard: | A3 [glsa cleanup cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Vlad K.
2015-09-03 01:06:55 UTC
From oss-sec: Please be advised that ISC publicly announced two critical vulnerabilities in BIND: + CVE-2015-5722 is a denial-of-service vector which can be exploited remotely against a BIND server that is performing validation on DNSSEC-signed records. All versions of BIND since 9.0.0 are vulnerable. https://kb.isc.org/article/AA-01287 + CVE-2015-5986 is a denial-of-service vector which can be used against a BIND server that is performing recursion and (under limited conditions) an authoritative-only nameserver. Versions of BIND since 9.9.7 and 9.10.2 are vulnerable. https://kb.isc.org/article/AA-01291 New releases of BIND, including security fixes for these vulnerabilities, are available: ftp://ftp.isc.org/isc/bind9/9.10.3rc1/RELEASE-NOTES.bind-9.10.3rc1.html ftp://ftp.isc.org/isc/bind9/9.9.8rc1/RELEASE-NOTES.bind-9.9.8rc1.html ftp://ftp.isc.org/isc/bind9/9.10.2-P4/RELEASE-NOTES.bind-9.10.2-P4.html ftp://ftp.isc.org/isc/bind9/9.9.7-P3/RELEASE-NOTES.bind-9.9.7-P3.html Marcin Siodelski (as ISC Security Officer) Additional info: One of the issues also affects key parsing in the command line tools. While the impact is likely low here this means bind-tools is also affected and should be bumped. bind-9.10.2_p4 has just been added. (In reply to Christian Ruppert (idl0r) from comment #3) > bind-9.10.2_p4 has just been added. Thank you for the version bump Arches, please stabilize =net-dns/bind-9.10.2_p4 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 =net-dns/bind-tools-9.10.2_p4 should also be stabilized. Stable for HPPA PPC64. Both stable on alpha. both stable on amd64 ppc stable ia64 stable CVE-2015-5986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5986): openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted DNS response. CVE-2015-5722 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5722): buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone. arm stable x86 stable Added to an existing GLSA Request. Waiting on sparc stabilization, GLSA ready for release. sparc stable This issue was resolved and addressed in GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01 by GLSA coordinator Mikle Kolyada (Zlogene). |
