[arch-security] [ASA-201509-2] bind: denial of service
rgacogne at archlinux.org
Thu Sep 3 08:53:13 UTC 2015
Arch Linux Security Advisory ASA-201509-2
Date : 2015-09-03
CVE-ID : CVE-2015-5722 CVE-2015-5986
Package : bind
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package bind before version 9.10.2.P4-1 is vulnerable to denial of
Upgrade to 9.10.2.P4-1.
# pacman -Syu "bind>=9.10.2.P4-1"
The problem has been fixed upstream in versions 9.9.7-P3 and 9.10.2-P4.
CVE-2015-5722 might be mitigated by disabling DNSSEC validation. However
this is not recommended by ISC as it would increase the risk of other
types of DNS attacks.
- CVE-2015-5722 (Parsing malformed keys may cause BIND to exit due to a
failed assertion in buffer.c):
Parsing a malformed DNSSEC key can cause a validating resolver to exit
due to a failed assertion in buffer.c. It is possible for a remote
attacker to deliberately trigger this condition, for example by using a
query which requires a response from a zone containing a deliberately
- CVE-2015-5986 (An incorrect boundary check can trigger a REQUIRE
assertion failure in openpgpkey_61.c):
An incorrect boundary check in openpgpkey_61.c can cause named to
terminate due to a REQUIRE assertion failure. This defect can be
deliberately exploited by an attacker who can provide a maliciously
constructed response in answer to a query.
A remote attacker can crash a recursive server by causing a query to be
sent for a specially crafted DNS zone she controls, causing denial of
A remote attacker might be able to crash an authoritative server if she
controls a zone the server must query against to perform its zone
service, causing denial of service.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security