Greetings,

----- Original Message -----
> So there's a new DoS vulnerability in bind that will cause the bind
> process to exit if a certain packet is sent.
> 
> It mentions the following:
> Both recursive and authoritative servers are vulnerable to this defect.
> Additionally, exposure is not prevented by either ACLs or configuration
> options limiting or denying service because the exploitable code occurs
> early in the packet handling, before checks enforcing those
> boundaries.
> 
> All versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND
> 9.9.7-P1 and BIND 9.10.2-P2 are vulnerable.
> 
> Operators should take steps to upgrade to a patched version as soon
> as possible.
> 
> The ISC has blogged about it here:
> https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/
> 
> Essentially, its a "Whoops, you're all screwed. Upgrade now".
> 
> So, any news on an updated version in SL as an urgent priority??

RH has released updates, right?  So it shouldn't be too long SL has an update.  They usually track those pretty closely.  A mitigator, since this is only a crash-bind issue... on EL7 with systemd anyway... would be to make a drop-in file that restarts bind whenever it isn't running.  Thanks systemd.

TYL,
-- 
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]