[arch-security] [ASA-201509-2] bind: denial of service

Remi Gacogne rgacogne at archlinux.org
Thu Sep 3 08:53:13 UTC 2015

Arch Linux Security Advisory ASA-201509-2

Severity: High
Date    : 2015-09-03
CVE-ID  : CVE-2015-5722 CVE-2015-5986
Package : bind
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The package bind before version 9.10.2.P4-1 is vulnerable to denial of


Upgrade to 9.10.2.P4-1.

# pacman -Syu "bind>=9.10.2.P4-1"

The problem has been fixed upstream in versions 9.9.7-P3 and 9.10.2-P4.


CVE-2015-5722 might be mitigated by disabling DNSSEC validation. However
this is not recommended by ISC as it would increase the risk of other
types of DNS attacks.


- CVE-2015-5722 (Parsing malformed keys may cause BIND to exit due to a
failed assertion in buffer.c):

Parsing a malformed DNSSEC key can cause a validating resolver to exit
due to a failed assertion in buffer.c. It is possible for a remote
attacker to deliberately trigger this condition, for example by using a
query which requires a response from a zone containing a deliberately
malformed key.

- CVE-2015-5986 (An incorrect boundary check can trigger a REQUIRE
assertion failure in openpgpkey_61.c):

An incorrect boundary check in openpgpkey_61.c can cause named to
terminate due to a REQUIRE assertion failure. This defect can be
deliberately exploited by an attacker who can provide a maliciously
constructed response in answer to a query.


A remote attacker can crash a recursive server by causing a query to be
sent for a specially crafted DNS zone she controls, causing denial of
A remote attacker might be able to crash an authoritative server if she
controls a zone the server must query against to perform its zone
service, causing denial of service.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150903/5c394404/attachment.asc>

More information about the arch-security mailing list