[arch-security] [ASA-201607-8] bind: denial of service
Arch Linux Security Advisory ASA-201607-8 ========================================= Severity: Medium Date : 2016-07-20 CVE-ID : CVE-2016-2775 Package : bind Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package bind before version 9.10.4.P2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 9.10.4.P2-1. # pacman -Syu "bind>=9.10.4.P2-1" The problem has been fixed upstream in version 9.10.4.P2. Workaround ========== None. Description =========== Although not commonly used, the BIND package contains provisions to allow systems to resolve names using the lightweight resolver protocol, a protocol similar to (but distinct from) the normal DNS protocols. The lightweight resolver protocol can be used either by running the lwresd utility installed with BIND or by configuring named using the "lwres" statement in named.conf. An error has been discovered in the BIND implementation of the lightweight resolver protocol affecting systems which use this alternate method to do name resolution. A server which is affected by this defect will terminate with a segmentation fault error, resulting in a denial of service to client programs attempting to resolve names. Impact ====== A remote attacker can crash the server by sending a crafted request, causing a denial of service. References ========== https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 https://access.redhat.com/security/cve/CVE-2016-2775
participants (1)
-
Remi Gacogne