Bugzilla – Bug 958861
VUL-0: CVE-2015-8000: bind: remote denial of service by misparsing incoming responses
Last modified: 2016-01-26 12:24:35 UTC
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Dec. 18, 2015". When done, reassign the bug to "security-team@suse.de". /update/121115/.
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Dec. 18, 2015". When done, reassign the bug to "security-team@suse.de". /update/121116/.
now published by ISC CVE: CVE-2015-8000 Document Version: 2.0 Posting date: 15 December 2015 Program Impacted: BIND Versions affected: 9.0.x -> 9.9.8, 9.10.0 -> 9.10.3 Severity: Critical Exploitable: Remotely Description: An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries. Impact: An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs. CVSS Score: 7.1 CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:C) Workarounds: None. Active exploits: No known active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND. Public open-source branches can be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.8-P2 BIND 9 version 9.10.3-P2 BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to ISC Support customers. BIND 9 version 9.9.8-S3 Document Revision History: 1.0 Advance Notification, 24 November, 2015 1.1 Software releases 9.9.8-P1 and 9.10.3-P1 replaced with 9.9.8-P2 and 9.10.3-P2 to address CVE-2015-8461, advisory text and schedule updated, 8 December 2015 2.0 Public Disclosure, 15 December 2015 Related Documents: See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913 for a complete listing of Security Vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should go to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/). ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861 This Knowledge Base article https://kb.isc.org/article/AA-01317 is the complete and official security advisory document.
This is an autogenerated message for OBS integration: This bug (958861) was mentioned in https://build.opensuse.org/request/show/349230 13.1 / bind https://build.opensuse.org/request/show/349231 13.2 / bind
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-12-24. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62380
could you provide a test case or reproducer for qa maintenance testing?
QA: We have no reproducer at this time.
Submitted to Factory.
This is an autogenerated message for OBS integration: This bug (958861) was mentioned in https://build.opensuse.org/request/show/350227 Factory / bind
SUSE-SU-2015:2340-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 923281,958861 CVE References: CVE-2015-8000 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Server 11-SP4 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Server 11-SP3 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Desktop 11-SP4 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Desktop 11-SP3 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bind-9.9.6P1-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): bind-9.9.6P1-0.19.1
SUSE-SU-2015:2341-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 958861 CVE References: CVE-2015-8000 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): bind-9.9.6P1-28.6.1 SUSE Linux Enterprise Server 12 (src): bind-9.9.6P1-28.6.1 SUSE Linux Enterprise Desktop 12 (src): bind-9.9.6P1-28.6.1
SUSE-SU-2015:2359-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 958861 CVE References: CVE-2015-8000 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): bind-9.9.6P1-32.1 SUSE Linux Enterprise Server 12-SP1 (src): bind-9.9.6P1-32.1 SUSE Linux Enterprise Desktop 12-SP1 (src): bind-9.9.6P1-32.1
openSUSE-SU-2015:2364-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 958861 CVE References: CVE-2015-8000 Sources used: openSUSE 13.2 (src): bind-9.9.6P1-2.13.1 openSUSE 13.1 (src): bind-9.9.4P2-2.20.1
openSUSE-SU-2015:2365-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 958861 CVE References: CVE-2015-8000 Sources used: openSUSE Leap 42.1 (src): bind-9.9.6P1-27.1
This is an autogenerated message for OBS integration: This bug (958861) was mentioned in https://build.opensuse.org/request/show/350919 Evergreen:11.4 / bind.openSUSE_Evergreen_11.4
openSUSE-SU-2015:2391-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 958861 CVE References: CVE-2015-8000 Sources used: openSUSE Evergreen 11.4 (src): bind-9.9.4P2-72.1
SLE 10 SP4 is affected as well and under LTSS contract until mid-2016.. We need a submission there as well.
Done.
SUSE-SU-2016:0227-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 939567,944066,958861,962189 CVE References: CVE-2015-5477,CVE-2015-5722,CVE-2015-8000,CVE-2015-8704 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): bind-9.6ESVR11P1-0.18.1