Bugzilla – Bug 944066
VUL-0: CVE-2015-5722: bind: denial-of-service vulnerability against DNSSEC resolving bind
Last modified: 2022-02-13 11:07:37 UTC
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as critical. Please submit fixed packages until 2015-09-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62289
https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/ CVE: CVE-2015-5722 Document Version: 2.0 Posting date: 2 September 2015 Program Impacted: BIND Versions affected: BIND 9.0.0 -> 9.8.8, BIND 9.9.0 -> 9.9.7-P2, BIND 9.10.0 -> 9.10.2-P3 Severity: Critical Exploitable: Remotely Description: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key. Impact: Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service. Servers which are affected may terminate with an assertion failure, causing denial of service to all clients. CVSS Score: 7.8 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workarounds: Servers which are not performing validation are not at risk from this defect (but are at increased risk from other types of DNS attack.) ISC does not recommend disabling validation to deal with this issue; upgrading to a fixed version is the preferred solution. Active exploits: None known Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.7-P3 BIND 9 version 9.10.2-P4 BIND development releases scheduled to be published at the same time as the public disclosure of this vulnerability will also contain the fix for this security issue. BIND 9 version 9.9.8rc1 BIND 9 version 9.10.3rc1 Acknowledgements: ISC would like to thank Hanno Böck from the Fuzzing Project for discovering and reporting this defect. We would also like to express our appreciation to the developers of the American Fuzzy Lop tool, which has been instrumental in revealing recently-disclosed vulnerabilities in BIND. Document Revision History: 1.0 Advance Notification 19 August 2015 1.1 “Versions affected” information clarified 24 August, 2015 2.0 Public Disclosure 2 September, 2015
SUSE-SU-2015:1480-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 944066 CVE References: CVE-2015-5722 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Server 11-SP4 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Server 11-SP3 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Desktop 11-SP4 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Desktop 11-SP3 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bind-9.9.6P1-0.15.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): bind-9.9.6P1-0.15.1
SUSE-SU-2015:1481-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 944066 CVE References: CVE-2015-5722 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): bind-9.9.6P1-26.1 SUSE Linux Enterprise Server 12 (src): bind-9.9.6P1-26.1 SUSE Linux Enterprise Desktop 12 (src): bind-9.9.6P1-26.1
as its pubkic, also submit for opensuse please
SUSE-SU-2015:1496-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 944066 CVE References: CVE-2015-5722 Sources used: SUSE Linux Enterprise Server 11-SP1-LTSS (src): bind-9.6ESVR11W1-0.9.1 SUSE Linux Enterprise Debuginfo 11-SP1 (src): bind-9.6ESVR11W1-0.9.1
openSUSE-SU-2015:1597-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 944066 CVE References: CVE-2015-5722 Sources used: openSUSE 13.2 (src): bind-9.9.6P1-2.10.1 openSUSE 13.1 (src): bind-9.9.4P2-2.17.1
i submitted to network/bind
openSUSE-SU-2015:1667-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 944066 CVE References: CVE-2015-5722 Sources used: openSUSE Evergreen 11.4 (src): bind-9.9.4P2-69.1
Done.
SUSE-SU-2016:0227-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 939567,944066,958861,962189 CVE References: CVE-2015-5477,CVE-2015-5722,CVE-2015-8000,CVE-2015-8704 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): bind-9.6ESVR11P1-0.18.1