Arch Linux Security Advisory ASA-201512-10 ========================================== Severity: High Date : 2015-12-16 CVE-ID : CVE-2015-8000 Package : bind Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package bind before version 9.10.3.P2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 9.10.3.P2-1. # pacman -Syu "bind>=9.10.3.P2-1" The problem has been fixed upstream in version 9.10.3.P2. Workaround ========== None. Description =========== An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries. An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs. Impact ====== A remote attacker is able to send specially crafted packets to crash the bind process leading to denial of service. References ========== https://access.redhat.com/security/cve/CVE-2015-8000 https://kb.isc.org/article/AA-01317