944107 – (CVE-2015-5986) VUL-0: CVE-2015-5986: bind: remote denial-of-service against recursing bind server

Bug 944107 (CVE-2015-5986) - VUL-0: CVE-2015-5986: bind: remote denial-of-service against recursing bind server

Summary: VUL-0: CVE-2015-5986: bind: remote denial-of-service against recursing bind s...

Status:	RESOLVED FIXED

Alias:	CVE-2015-5986

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-09-02 05:09 UTC by Marcus Meissner
Modified:	2020-05-13 07:57 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Marcus Meissner 2015-09-02 05:18:02 UTC

The version affected matrix seems to indicate that none of our products are affected.


Versions affected: 9.9.7 -> 9.9.7-P2, 9.10.2 -> 9.10.2-P3.

SLES 11 SP2/SP3/SP4, SLE12 GA have: 9.9.6-P1


-> not affected.

Comment 6 Marcus Meissner 2015-09-02 20:24:00 UTC

https://www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/

CVE: CVE-2015-5986
Document Version: 2.0
Posting date: 02 September 2015
Program Impacted: BIND
Versions affected: 9.9.7 -> 9.9.7-P2, 9.10.2 -> 9.10.2-P3.
Severity: Critical
Exploitable: Remotely

Description:

An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query.

Impact:

A server which encounters this error will terminate due to a REQUIRE assertion failure, resulting in denial of service to clients.

Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server. Servers should be upgraded to a fixed version.

CVSS Score: 7.1

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:C)

Workarounds:

No workarounds are known to exist.

Active exploits:

None known.

Solution:

Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.

BIND 9 version 9.9.7-P3
BIND 9 version 9.10.2-P4

BIND development releases scheduled to be published at the same time as the public disclosure of this vulnerability will also contain the fix for this security issue.

BIND 9 version 9.9.8rc1
BIND 9 version 9.10.3rc1

Document Revision History:

1.0 Advance Notification 19 August, 2015
2.0 Public Disclosure 2 September, 2015

Comment 7 Marcus Meissner 2015-09-22 14:16:40 UTC

i submitted for factory.