#6697: bind9.10.2-P2 and BIND Utilities-9.10.2-P2
-------------------------+-------------------------
Reporter: fo | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: high | Milestone: 7.8
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-------------------------
[ftp://ftp.isc.org/isc/bind9/9.10.2-P2/bind-9.10.2-P2.tar.gz]
[ftp://ftp.isc.org/isc/bind9/9.10.2-P2/bind-9.10.2-P2.tar.gz.sha512.asc]
[https://kb.isc.org/article/AA-01267]
{{{
CVE-2015-4620: Specially Cbind9.10.2-P1 and BIND
Utilities-9.10.2-P1onstructed Zone Data Can Cause a Resolver to
Crash when Validating
Author: Michael McNally Reference Number: AA-01267 Views: 2884
Created: 2015-06-16 19:57 Last Updated: 2015-07-07 18:15
An attacker who can cause a validating resolver to query a zone
containing specifically constructed contents can cause that resolver to
fail an assertion and terminate due to a defect in validation code.
CVE: CVE-2015-4620
Document Version: 2.0
Posting date: 7 July 2015
Program Impacted: BIND
Versions affected: BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7,
9.10.0 -> 9.10.2-P1.
Severity: Critical
Exploitable: Remotely
Description:
A very uncommon combination of zone data has been found that triggers a
bug in BIND, with the result that named will exit with a "REQUIRE"
failure in name.c when validating the data returned in answer to a
recursive query.
This means that a recursive resolver that is performing DNSSEC
validation can be deliberately stopped by an attacker who can cause the
resolver to perform a query against a maliciously-constructed zone.
Impact:
A recursive resolver that is performing DNSSEC validation can be
deliberately terminated by any attacker who can cause a query to be
performed against a maliciously constructed zone. This will result in a
denial of service to clients who rely on that resolver.
DNSSEC validation is only performed by a recursive resolver if it has
"dnssec-validation auto;" in its configuration or if it has a root trust
anchor defined and has "dnssec-validation yes;" set (either by accepting
the default or via an explicitly set value of "yes".) By default ISC
BIND recursive servers will not validate. (However, ISC defaults may
have been changed by your distributor.)
CVSS Score: 7.8
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
}}}
[ftp://ftp.isc.org/isc/bind9/9.10.2-P2/CHANGES]
[ftp://ftp.isc.org/isc/bind9/9.10.2-P2/RELEASE-NOTES-9.10.2-P2.txt]
{{{
Release Notes for BIND Version 9.10.2-P2
Introduction
This document summarizes changes since BIND 9.10.2:
BIND 9.10.2-P2 addresses a security issue described in CVE-2015-4620.
BIND 9.10.2-P1 addressed several bugs that have been identified ...
Security Fixes
* On servers configured to perform DNSSEC validation an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* None
Feature Changes
* None
Bug Fixes
...
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/6697>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
