Skip to Content.
Sympa Menu

discuss - [opennic-discuss] Fwd: [SECURITY] [DSA 3854-1] bind9 security update

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] Fwd: [SECURITY] [DSA 3854-1] bind9 security update


Chronological Thread 
    < Chronological >      < Thread >
  • From: Fusl Dash <opennic AT lists.dedilink.eu>
  • To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
  • Subject: [opennic-discuss] Fwd: [SECURITY] [DSA 3854-1] bind9 security update
  • Date: Mon, 15 May 2017 04:21:28 +0200
-------- Forwarded Message --------
Subject: [SECURITY] [DSA 3854-1] bind9 security update
Resent-Date: Sun, 14 May 2017 17:48:03 +0000 (UTC)
Resent-From: debian-security-announce AT lists.debian.org
Date: Sun, 14 May 2017 17:47:46 +0000
From: Salvatore Bonaccorso <carnil AT debian.org>
Reply-To: debian-security-announce-request AT lists.debian.org
To: debian-security-announce AT lists.debian.org

-------------------------------------------------------------------------
Debian Security Advisory DSA-3854-1 security AT debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 14, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : bind9
CVE ID : CVE-2017-3136 CVE-2017-3137 CVE-2017-3138
Debian Bug : 860224 860225 860226

Several vulnerabilities were discovered in BIND, a DNS server
implementation. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2017-3136

Oleg Gorokhov of Yandex discovered that BIND does not properly
handle certain queries when using DNS64 with the "break-dnssec yes;"
option, allowing a remote attacker to cause a denial-of-service.

CVE-2017-3137

It was discovered that BIND makes incorrect assumptions about the
ordering of records in the answer section of a response containing
CNAME or DNAME resource records, leading to situations where BIND
exits with an assertion failure. An attacker can take advantage of
this condition to cause a denial-of-service.

CVE-2017-3138

Mike Lalumiere of Dyn, Inc. discovered that BIND can exit with a
REQUIRE assertion failure if it receives a null command string on
its control channel. Note that the fix applied in Debian is only
applied as a hardening measure. Details about the issue can be found
at https://kb.isc.org/article/AA-01471 .

For the stable distribution (jessie), these problems have been fixed in
version 1:9.9.5.dfsg-9+deb8u11.

For the unstable distribution (sid), these problems have been fixed in
version 1:9.10.3.dfsg.P4-12.3.

We recommend that you upgrade your bind9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org

Attachment: signature.asc
Description: OpenPGP digital signature


  • [opennic-discuss] Fwd: [SECURITY] [DSA 3854-1] bind9 security update, Fusl Dash, 05/15/2017

Archive powered by MHonArc 2.6.19.

Top of Page