Bugzilla – Bug 970073
VUL-0: CVE-2016-1286: bind: An error when parsing signature records for DNAME can lead to named exiting due to an assertion failure
Last modified: 2017-09-20 14:57:00 UTC
CVE: CVE-2016-1286 Document Version: 1.1 Posting date: 09 March 2016 Program Impacted: BIND Versions affected: 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5, 9.10.0 -> 9.10.3-P3 Severity: High Exploitable: Remotely Description: An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. Impact: An attacker able to cause a server to make a query deliberately chosen to generate a response containing a signature record which would exercise this vulnerability can cause named to stop execution with an assertion failure, resulting in denial of service to clients. Recursive resolvers are at the highest risk of vulnerability to this attack but authoritative-only servers may be also be vulnerable if the attacker can control the answers for records requested when the authoritative server is performing service on zones (e.g. a slave server doing SOA queries.) Servers may be affected even if they are not performing validation or have DNSSEC disabled entirely as long as they receive a response containing offending signature records. Disabling DNSSEC does not provide protection against this vulnerability. CVSS Score: 7.8 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workarounds: None known. Active exploits: No known active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND: BIND 9 version 9.9.8-P4 BIND 9 version 9.10.3-P4 BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to eligible ISC Support customers. BIND 9 version 9.9.8-S6 Document Revision History: 1.0 Advance Notification 02 March 2016 1.1 "Versions affected" and "Solution" text expanded to cover BIND 9 Supported Preview Edition; "Versions affected" and "Impact" text expanded to cover all old versions. 07 March 2016 Related Documents: See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913 for a complete listing of Security Vulnerabilities and versions affected. If you'd like more information on ISC Subscription Support and Advance Security Notifications, please visit http://www.isc.org/support/. Do you still have questions? Questions regarding this advisory should go to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/). ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861/164/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html This Knowledge Base article https://kb.isc.org/article/AA-01353 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (c) 2001-2016 Internet Systems Consortium
bugbot adjusting priority
public now
This is an autogenerated message for OBS integration: This bug (970073) was mentioned in https://build.opensuse.org/request/show/369936 13.2 / bind
This is an autogenerated message for OBS integration: This bug (970073) was mentioned in https://build.opensuse.org/request/show/370068 Factory / bind
This is an autogenerated message for OBS integration: This bug (970073) was mentioned in https://build.opensuse.org/request/show/370182 Evergreen:11.4+13.1 / bind
SUSE-SU-2016:0759-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): bind-9.9.6P1-38.1 SUSE Linux Enterprise Server 12-SP1 (src): bind-9.9.6P1-38.1 SUSE Linux Enterprise Desktop 12-SP1 (src): bind-9.9.6P1-38.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-03-22. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62561
SUSE-SU-2016:0780-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): bind-9.9.6P1-28.12.1 SUSE Linux Enterprise Server 12 (src): bind-9.9.6P1-28.12.1 SUSE Linux Enterprise Desktop 12 (src): bind-9.9.6P1-28.12.1
SUSE-SU-2016:0825-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bind-9.9.6P1-0.25.1 SUSE Linux Enterprise Server 11-SP4 (src): bind-9.9.6P1-0.25.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): bind-9.9.6P1-0.25.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): bind-9.9.6P1-0.25.1 SUSE Linux Enterprise Desktop 11-SP4 (src): bind-9.9.6P1-0.25.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bind-9.9.6P1-0.25.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bind-9.9.6P1-0.25.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): bind-9.9.6P1-0.25.1
openSUSE-SU-2016:0827-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: openSUSE 13.1 (src): bind-9.9.4P2-2.29.1
openSUSE-SU-2016:0830-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: openSUSE Evergreen 11.4 (src): bind-9.9.4P2-75.1
openSUSE-SU-2016:0834-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: openSUSE 13.2 (src): bind-9.9.6P1-2.19.1
released
And openSUSE Leap is not affected? SLES12 is.
Last time I submitted updates for Leap, I got told they aren't needed, because it automatically inherits them from SLE12.
(In reply to Reinhard Max from comment #19) > Last time I submitted updates for Leap, I got told they aren't needed, > because it automatically inherits them from SLE12. It makes sense, but there are no patches available and the bug is closed. Perhaps there went something wrong.
that depends on the package. it can be checked out in the virtual pacakge openSUSE:Leap:42.1:Update 00Meta lookup.yml which has a mapping of origin for every pacakge. grep -w bind openSUSE\:Leap\:42.1\:Update/00Meta/lookup.yml bind: SUSE:SLE-12-SP1:GA so yes, bind is imported from the 12-sp1 update. I just approved this pending update for 42.1.
openSUSE-SU-2016:0859-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: openSUSE Leap 42.1 (src): bind-9.9.6P1-33.1
Requesting patch for SLES11SP1 LTSS.
Requesting patch for SLES11SP1 LTSS from Huawei.
SUSE-SU-2016:1541-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 970072,970073 CVE References: CVE-2016-1285,CVE-2016-1286 Sources used: SUSE OpenStack Cloud 5 (src): bind-9.9.6P1-0.27.1 SUSE Manager Proxy 2.1 (src): bind-9.9.6P1-0.27.1 SUSE Manager 2.1 (src): bind-9.9.6P1-0.27.1
released.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-01-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63332