Bugzilla – Bug 962189
VUL-0: CVE-2015-8704: bind: Specific APL data could trigger an INSIST in apl_42.c
Last modified: 2016-03-11 20:00:10 UTC
bugbot adjusting priority
RFC 3123: A DNS RR Type for Lists of Address Prefixes (APL RR) https://tools.ietf.org/html/rfc3123 > The textual representation of an APL RR in a DNS zone file is as > follows: > > <owner> IN <TTL> APL {[!]afi:address/prefix}*
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-01-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62441
Public at https://kb.isc.org/article/AA-01335 CVE: CVE-2015-8704 Document Version: 2.0 Posting date: 19 January 2016 Program Impacted: BIND Versions affected: 9.3.0->9.8.8, 9.9.0->9.9.8-P2, 9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2 Severity: High Exploitable: Remotely Description: A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c. Impact: A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations. Examples include (but may not be limited to): Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master. Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message. Recursive resolvers are potentially vulnerable when debug logging, if they are fed a deliberately malformed record by a malicious server. A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'. Please Note: Versions of BIND from 9.3 through 9.8 are also affected, but these branches are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC. For current information on which versions are actively supported, please see http://www.isc.org/downloads/. CVSS Score: 6.8 CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:C) Workarounds: None Active exploits: No known active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.8-P3 BIND 9 version 9.10.3-P3 BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to eligible ISC Support customers. BIND 9 version 9.9.8-S4 Document Revision History: 1.0 Advance Notification 12 January 2016 2.0 Public Disclosure 19 January 2016
SUSE-SU-2016:0174-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962189 CVE References: CVE-2015-8704 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): bind-9.9.6P1-35.1 SUSE Linux Enterprise Server 12-SP1 (src): bind-9.9.6P1-35.1 SUSE Linux Enterprise Desktop 12-SP1 (src): bind-9.9.6P1-35.1
This is an autogenerated message for OBS integration: This bug (962189) was mentioned in https://build.opensuse.org/request/show/354913 13.1 / bind
This is an autogenerated message for OBS integration: This bug (962189) was mentioned in https://build.opensuse.org/request/show/354931 Factory / bind
SUSE-SU-2016:0180-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962189 CVE References: CVE-2015-8704 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): bind-9.9.6P1-28.9.1 SUSE Linux Enterprise Server 12 (src): bind-9.9.6P1-28.9.1 SUSE Linux Enterprise Desktop 12 (src): bind-9.9.6P1-28.9.1
openSUSE-SU-2016:0197-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962189 CVE References: CVE-2015-8704 Sources used: openSUSE Leap 42.1 (src): bind-9.9.6P1-30.1
openSUSE-SU-2016:0199-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962189 CVE References: CVE-2015-8704 Sources used: openSUSE 13.2 (src): bind-9.9.6P1-2.16.1
SUSE-SU-2016:0200-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962189 CVE References: CVE-2015-8704 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Server 11-SP4 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Server 11-SP3 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Desktop 11-SP4 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Desktop 11-SP3 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bind-9.9.6P1-0.22.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): bind-9.9.6P1-0.22.1
openSUSE-SU-2016:0204-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962189 CVE References: CVE-2015-8704 Sources used: openSUSE 13.1 (src): bind-9.9.4P2-2.23.1
SUSE-SU-2016:0227-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 939567,944066,958861,962189 CVE References: CVE-2015-5477,CVE-2015-5722,CVE-2015-8000,CVE-2015-8704 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): bind-9.6ESVR11P1-0.18.1
This is an autogenerated message for OBS integration: This bug (962189) was mentioned in https://build.opensuse.org/request/show/370182 Evergreen:11.4+13.1 / bind