[arch-security] [ASA-201607-8] bind: denial of service
rgacogne at archlinux.org
Wed Jul 20 15:56:30 UTC 2016
Arch Linux Security Advisory ASA-201607-8
Date : 2016-07-20
CVE-ID : CVE-2016-2775
Package : bind
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package bind before version 9.10.4.P2-1 is vulnerable to denial of
Upgrade to 9.10.4.P2-1.
# pacman -Syu "bind>=9.10.4.P2-1"
The problem has been fixed upstream in version 9.10.4.P2.
Although not commonly used, the BIND package contains provisions to
allow systems to resolve names using the lightweight resolver protocol,
a protocol similar to (but distinct from) the normal DNS protocols. The
lightweight resolver protocol can be used either by running the lwresd
utility installed with BIND or by configuring named using the "lwres"
statement in named.conf.
An error has been discovered in the BIND implementation of the
lightweight resolver protocol affecting systems which use this alternate
method to do name resolution. A server which is affected by this defect
will terminate with a segmentation fault error, resulting in a denial of
service to client programs attempting to resolve names.
A remote attacker can crash the server by sending a crafted request,
causing a denial of service.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security