Summary: | <net-dns/bind{,-tools}-9.10.3_p4: Specific APL data could trigger an INSIST in apl_42.c causing BIND named to exit (CVE-2015-{8704,8705}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | idl0r |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/01/19/19 | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-01-20 08:18:16 UTC
net-dns/bind-9.10.3_p3 has just been added. (In reply to Christian Ruppert (idl0r) from comment #1) > net-dns/bind-9.10.3_p3 has just been added. do we need to stabilize also a newer bind-tools? (In reply to Agostino Sarubbo from comment #2) > (In reply to Christian Ruppert (idl0r) from comment #1) > > net-dns/bind-9.10.3_p3 has just been added. > > do we need to stabilize also a newer bind-tools? Not this time. Thanks! Added to existing GLSA. CVE-2015-8705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8705): buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit, or daemon crash) or possibly have unspecified other impact via (1) OPT data or (2) an ECS option. CVE-2015-8704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8704): apl_42.c in ISC BIND 9.x before 9.9.8-P3 and 9.9.x and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record. This issue was resolved and addressed in GLSA 201610-07 at https://security.gentoo.org/glsa/201610-07 by GLSA coordinator Kristian Fiskerstrand (K_F). |