[arch-security] [ASA-201607-8] bind: denial of service

Remi Gacogne rgacogne at archlinux.org
Wed Jul 20 15:56:30 UTC 2016


Arch Linux Security Advisory ASA-201607-8
=========================================

Severity: Medium
Date    : 2016-07-20
CVE-ID  : CVE-2016-2775
Package : bind
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package bind before version 9.10.4.P2-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 9.10.4.P2-1.

# pacman -Syu "bind>=9.10.4.P2-1"

The problem has been fixed upstream in version 9.10.4.P2.

Workaround
==========

None.

Description
===========

Although not commonly used, the BIND package contains provisions to
allow systems to resolve names using the lightweight resolver protocol,
a protocol similar to (but distinct from) the normal DNS protocols. The
lightweight resolver protocol can be used either by running the lwresd
utility installed with BIND or by configuring named using the "lwres"
statement in named.conf.

An error has been discovered in the BIND implementation of the
lightweight resolver protocol affecting systems which use this alternate
method to do name resolution. A server which is affected by this defect
will terminate with a segmentation fault error, resulting in a denial of
service to client programs attempting to resolve names.

Impact
======

A remote attacker can crash the server by sending a crafted request,
causing a denial of service.

References
==========

https://kb.isc.org/article/AA-01393/74/CVE-2016-2775
https://access.redhat.com/security/cve/CVE-2016-2775

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160720/82af7a2f/attachment.asc>


More information about the arch-security mailing list