SCIENTIFIC-LINUX-DEVEL Archives

August 2015

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
CVE-2015-5477 - Bind crashing after specifically crafted packet
From:
Steven Haigh <[log in to unmask]>
Reply To:
Steven Haigh <[log in to unmask]>
Date:
Sat, 1 Aug 2015 23:11:08 +1000
Content-Type:
multipart/signed
Parts/Attachments:
text/plain (1010 bytes) , signature.asc (834 bytes) 
Hi all,

So there's a new DoS vulnerability in bind that will cause the bind
process to exit if a certain packet is sent.

It mentions the following:
Both recursive and authoritative servers are vulnerable to this defect.
 Additionally, exposure is not prevented by either ACLs or configuration
options limiting or denying service because the exploitable code occurs
early in the packet handling, before checks enforcing those boundaries.

All versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1
and BIND 9.10.2-P2 are vulnerable.

Operators should take steps to upgrade to a patched version as soon as
possible.

The ISC has blogged about it here:
https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/

Essentially, its a "Whoops, you're all screwed. Upgrade now".

So, any news on an updated version in SL as an urgent priority??

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897

ATOM RSS1 RSS2