858639 – (CVE-2014-0591) VUL-0: CVE-2014-0591: bind: named crash when handling malformed NSEC3-signed zones

Bug 858639 (CVE-2014-0591) - VUL-0: CVE-2014-0591: bind: named crash when handling malformed NSEC3-signed zones

Summary: VUL-0: CVE-2014-0591: bind: named crash when handling malformed NSEC3-signed ...

Status:	RESOLVED FIXED

Alias:	CVE-2014-0591

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:55990:moderate maint:r...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-01-14 09:29 UTC by Sebastian Krahmer
Modified:	2015-03-11 19:05 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2014-01-14 09:29:12 UTC

CVE-2014-0591



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0591
https://bugzilla.redhat.com/show_bug.cgi?id=1051717

Comment 1 Swamp Workflow Management 2014-01-14 23:00:21 UTC

bugbot adjusting priority

Comment 3 Reinhard Max 2014-01-22 16:45:29 UTC

Submitted to 12.3, 13.1, SLE-10-SP4, SLE-11, SLE-11-SP2 and Factory. SLE12 will follow.

bind-9.3.4 which is contained in SLE-9-SP3-teradata and SLE-10-SP3 is not listed as vulnerable in the NIST link above.

Comment 5 Bernhard Wiedemann 2014-01-22 17:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (858639) was mentioned in
https://build.opensuse.org/request/show/214727 13.1+12.3 / bind

Comment 6 Bernhard Wiedemann 2014-01-24 11:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (858639) was mentioned in
https://build.opensuse.org/request/show/215020 Factory / bind

Comment 8 Ruediger Oertel 2014-01-30 10:06:30 UTC

there is a patchinfo pending for sle10-sp3 which is not vulnerable
according to comment#3

can you cancel the patchinfo ?

Comment 9 Swamp Workflow Management 2014-01-31 18:54:24 UTC

Update released for: bind, bind-chrootenv, bind-debuginfo, bind-debugsource, bind-devel, bind-doc, bind-libs, bind-libs-32bit, bind-libs-64bit, bind-libs-x86, bind-lwresd, bind-utils
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 10 Swamp Workflow Management 2014-01-31 20:29:18 UTC

Update released for: bind, bind-chrootenv, bind-debuginfo, bind-debugsource, bind-devel, bind-doc, bind-libs, bind-lwresd, bind-utils
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 11 Swamp Workflow Management 2014-01-31 20:49:31 UTC

Update released for: bind, bind-chrootenv, bind-debuginfo, bind-debugsource, bind-devel, bind-doc, bind-libs, bind-libs-32bit, bind-libs-64bit, bind-libs-x86, bind-lwresd, bind-utils
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 12 Swamp Workflow Management 2014-02-01 00:04:23 UTC

SUSE-SU-2014:0179-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 858639
CVE References: CVE-2014-0591
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Software Development Kit 11 SP2 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP3 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP2 for VMware (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP2 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Desktop 11 SP2 (src):    bind-9.9.4P2-0.6.1

Comment 13 Marcus Meissner 2014-02-17 09:34:52 UTC

was released

Comment 15 Swamp Workflow Management 2015-03-11 19:05:19 UTC

SUSE-SU-2015:0480-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 743758,858639,908994
CVE References: CVE-2014-0591,CVE-2014-8500
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    bind-9.6ESVR11W1-0.2.1