MGASA-2017-0478
- Source
- https://advisories.mageia.org/MGASA-2017-0478.html
- Import Source
- https://advisories.mageia.org/MGASA-2017-0478.json
- JSON Data
- https://api.osv.dev/v1/vulns/MGASA-2017-0478
- Related
- Published
- 2017-12-31T12:00:06Z
- Modified
- 2017-12-31T11:30:27Z
- Summary
- Updated bind packages fix security vulnerability
- Details
-
It was discovered that Bind incorrectly handled certain malformed responses to an ANY query. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2016-9131).
It was discovered that Bind incorrectly handled certain malformed responses to an ANY query. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2016-9147).
It was discovered that Bind incorrectly handled certain malformed DS record responses. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2016-9444).
An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes (CVE-2016-9778).
It was discovered that Bind incorrectly handled rewriting certain query responses when using both DNS64 and RPZ. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2017-3135).
Oleg Gorokhov discovered that in some situations, Bind did not properly handle DNS64 queries. An attacker could use this to cause a denial of service (CVE-2017-3136).
It was discovered that the resolver in Bind made incorrect assumptions about ordering when processing responses containing a CNAME or DNAME. An attacker could use this cause a denial of service (CVE-2017-3137).
Mike Lalumiere discovered that in some situations, Bind did not properly handle invalid operations requested via its control channel. An attacker with access to the control channel could cause a denial of service (CVE-2017-3138).
Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone transfer requests. An attacker could use this to improperly transfer entire zones (CVE-2017-3142).
Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone update requests. An attacker could use this to improperly perform zone updates (CVE-2017-3143).
- References
-
- https://advisories.mageia.org/MGASA-2017-0478.html
- https://bugs.mageia.org/show_bug.cgi?id=20107
- https://kb.isc.org/article/AA-01439
- https://kb.isc.org/article/AA-01440
- https://kb.isc.org/article/AA-01441
- https://kb.isc.org/article/AA-01442
- https://kb.isc.org/article/AA-01453
- https://kb.isc.org/article/AA-01465
- https://kb.isc.org/article/AA-01466
- https://kb.isc.org/article/AA-01471
- https://kb.isc.org/article/AA-01503
- https://kb.isc.org/article/AA-01504
- https://kb.isc.org/article/AA-01447
- https://kb.isc.org/article/AA-01455
- https://kb.isc.org/article/AA-01484
- https://kb.isc.org/article/AA-01508
- https://ftp.isc.org/isc/bind9/9.10.5-P3/RELEASE-NOTES-bind-9.10.5-P3.html
- https://usn.ubuntu.com/usn/usn-3172-1/
- https://usn.ubuntu.com/usn/usn-3201-1/
- https://usn.ubuntu.com/usn/usn-3259-1/
- Credits
-
-
- Mageia - COORDINATOR
-
Affected packages
Mageia:5 / bind
Package
- Name
- bind
- Purl
- pkg:rpm/mageia/bind?distro=mageia-5