Bugzilla – Bug 918330
VUL-1: CVE-2015-1349: bind: Problem with trust anchor management can cause named to crash
Last modified: 2020-09-24 14:57:29 UTC
From: "Jeremy C. Reed" <security-officer@isc.org> ISC is planning on announcing a vulnerability tomorrow (2015-02-18) around 1300 PST (2100 UTC). CVE-2015-1349, a problem with trust anchor management can cause named to crash, affecting BIND versions 9.7.0+ Please refrain from public announcement and publication of new packages until after we have made our public announcement. We believe that it will be very difficult for this to be triggered in most cases, requiring DNSSEC validation amongst other factors. Beginning with the rc2 versions (also expected to be released on 2015-02-18) our 9.9.7 and 9.10.2 releases will also have the fix for this issue. Patches to correct this issue are attached to this message to be used in building replacement BIND packages for your users. SHA256 (bind9-patch-v9_10_1-CVE-2015-1349) = c67d6caf3bdf1928e60111c4b56fea835060a4de6247aecdbc8e45e48fa9f782 SHA256 (bind9-patch-v9_9_6-CVE-2015-1349) = ae0a3d76e74a22c814a4708510aad13d76e4f4d48eefaf813ecbc2e23b24d2a9 In keeping with our prior communication and commitments, we will not be producing patches specifically for BIND 9.8 or BIND 9.6-ESV, both of which are beyond their End of Life (EOL) and are no longer supported by ISC.
bugbot adjusting priority
Created attachment 623825 [details] Patch for 9.10
Created attachment 623826 [details] Patch for 9.9
Public: https://kb.isc.org/article/AA-01235/0/CVE-2015-1349%3A-A-Problem-with-Trust-Anchor-Management-Can-Cause-named-to-Crash.html May terminate with an assertion failure when encountering all of the following conditions in a managed trust anchor: - a key which was previously trusted is now flagged as revoked; - there are no other trusted keys available; - there is a standby key, but it is not trusted yet Will treat it as VUL-1.
SUSE-SU-2015:1204-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 918330,936476 CVE References: CVE-2015-1349,CVE-2015-4620 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): bind-9.9.6P1-18.1 SUSE Linux Enterprise Server 12 (src): bind-9.9.6P1-18.1 SUSE Linux Enterprise Desktop 12 (src): bind-9.9.6P1-18.1
SUSE-SU-2015:1205-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 918330,936476 CVE References: CVE-2015-1349,CVE-2015-4620 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): bind-9.9.6P1-0.7.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): bind-9.9.6P1-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): bind-9.9.6P1-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): bind-9.9.6P1-0.7.1
openSUSE-SU-2015:1250-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 908994,918330,936476,937028 CVE References: CVE-2014-8500,CVE-2015-1349,CVE-2015-4620 Sources used: openSUSE 13.2 (src): bind-9.9.6P1-2.4.1
openSUSE-SU-2015:1250-2: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 908994,918330,936476,937028 CVE References: CVE-2014-8500,CVE-2015-1349,CVE-2015-4620 Sources used: openSUSE 13.1 (src): bind-9.9.4P2-2.11.1
openSUSE-SU-2015:1326-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 918330,936476,939567 CVE References: CVE-2015-1349,CVE-2015-4620,CVE-2015-5477 Sources used: openSUSE Evergreen 11.4 (src): bind-9.9.4P2-66.1
released