Bug 1018700 (CVE-2016-9131)

Summary: VUL-0: CVE-2016-9131: bind: malformed response can cause assertion failure during recursion
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, astieger, jsegitz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-9131:7.8:(AV:N/AC:L/Au:N/C:N/I:N/A:C) maint:running:63332:important maint:released:oes11-sp2:63335 CVSSv2:NVD:CVE-2016-9131:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-9131:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9131:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2016-9131:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-3136:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-3137:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-9131:7.8:(AV:N/AC:L/Au:N/C:N/I:N/A:C) CVSSv2:SUSE:CVE-2017-3136:2.6:(AV:N/AC:H/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-3137:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-9131:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-3136:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-3137:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-8864:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-8864:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9131:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9131:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9147:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9147:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9444:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9444:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3135:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3135:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3136:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3136:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3137:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3137:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3138:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3138:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3139:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-3139:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2018-5735:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1018699    
Deadline: 2017-01-16   

Comment 3 Swamp Workflow Management 2017-01-07 23:00:14 UTC 
bugbot adjusting priority
Comment 4 Andreas Stieger 2017-01-09 12:04:54 UTC 
CRD: 2017-01-11
Comment 5 Swamp Workflow Management 2017-01-09 12:58:12 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-01-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63332
Comment 6 Swamp Workflow Management 2017-01-09 15:59:19 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-01-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63333
Comment 10 Swamp Workflow Management 2017-01-12 01:09:11 UTC 
SUSE-SU-2017:0111-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1018699,1018700,1018701,1018702
CVE References: CVE-2016-9131,CVE-2016-9147,CVE-2016-9444
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    bind-9.9.9P1-53.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    bind-9.9.9P1-53.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    bind-9.9.9P1-53.1
SUSE Linux Enterprise Server 12-SP2 (src):    bind-9.9.9P1-53.1
SUSE Linux Enterprise Server 12-SP1 (src):    bind-9.9.9P1-53.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    bind-9.9.9P1-53.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    bind-9.9.9P1-53.1
Comment 11 Swamp Workflow Management 2017-01-12 01:10:16 UTC 
SUSE-SU-2017:0112-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1018699,1018700,1018701,1018702
CVE References: CVE-2016-9131,CVE-2016-9147,CVE-2016-9444
Sources used:
SUSE OpenStack Cloud 5 (src):    bind-9.9.6P1-0.36.1
SUSE Manager Proxy 2.1 (src):    bind-9.9.6P1-0.36.1
SUSE Manager 2.1 (src):    bind-9.9.6P1-0.36.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    bind-9.9.6P1-0.36.1
SUSE Linux Enterprise Server 11-SP4 (src):    bind-9.9.6P1-0.36.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    bind-9.9.6P1-0.36.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    bind-9.9.6P1-0.36.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    bind-9.9.6P1-0.36.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bind-9.9.6P1-0.36.1
Comment 12 Swamp Workflow Management 2017-01-12 01:11:17 UTC 
SUSE-SU-2017:0113-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1018699,1018700,1018701,1018702,965748
CVE References: CVE-2016-9131,CVE-2016-9147,CVE-2016-9444
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    bind-9.9.9P1-28.26.1
SUSE Linux Enterprise Server 12-LTSS (src):    bind-9.9.9P1-28.26.1
Comment 13 Alexander Bergmann 2017-01-12 07:48:26 UTC 
Public now!

https://kb.isc.org/article/AA-01439/74/CVE-2016-9131
Comment 15 Swamp Workflow Management 2017-01-17 18:46:04 UTC 
openSUSE-SU-2017:0182-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1018699,1018700,1018701,1018702
CVE References: CVE-2016-9131,CVE-2016-9147,CVE-2016-9444
Sources used:
openSUSE 13.2 (src):    bind-9.9.6P1-2.28.1
Comment 16 Swamp Workflow Management 2017-01-18 11:09:22 UTC 
openSUSE-SU-2017:0193-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1018699,1018700,1018701,1018702
CVE References: CVE-2016-9131,CVE-2016-9147,CVE-2016-9444
Sources used:
openSUSE Leap 42.2 (src):    bind-9.9.9P1-43.1
openSUSE Leap 42.1 (src):    bind-9.9.9P1-45.1
Comment 17 Marcus Meissner 2017-01-27 10:42:37 UTC 
released