Arch Linux Security Advisory ASA-201507-6 ========================================= Severity: High Date : 2015-07-07 CVE-ID : CVE-2015-4620 Package : bind Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package bind before version 9.10.2.P2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 9.10.2.P2-1. # pacman -Syu "bind>=9.10.2.P2-1" The problem has been fixed upstream in version 9.10.2.P2. Workaround ========== Disabling DNSSEC validation prevents exploitation of this defect but is not generally recommended. The recommended solution is to upgrade to a patched version. DNSSEC validation can be disabled by setting dnssec-validation no; in the "options" section of /etc/named.conf Description =========== A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query. This means that a recursive resolver that is performing DNSSEC validation can be deliberately stopped by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone. Impact ====== A remote attacker can crash a bind resolver performing DNSSEC validation by querying it for a specially crafted zone. References ========== https://kb.isc.org/article/AA-01267/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620