Debian alert DLA-957-1 (bind9)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 957-1] bind9 security update | |
| Date: | Sun, 28 May 2017 15:21:05 +0200 (CEST) | |
| Message-ID: | <alpine.DEB.2.02.1705281520050.2073@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : bind9 Version : 1:9.8.4.dfsg.P1-6+nmu2+deb7u16 CVE ID : CVE-2017-3136 CVE-2017-3137 CVE-2017-3138 CVE-2017-3136 Oleg Gorokhov of Yandex discovered that BIND does not properly handle certain queries when using DNS64 with the "break-dnssec yes;" option, allowing a remote attacker to cause a denial-of-service. CVE-2017-3137 It was discovered that BIND makes incorrect assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records, leading to situations where BIND exits with an assertion failure. An attacker can take advantage of this condition to cause a denial-of-service. CVE-2017-3138 Mike Lalumiere of Dyn, Inc. discovered that BIND can exit with a REQUIRE assertion failure if it receives a null command string on its control channel. Note that the fix applied in Debian is only applied as a hardening measure. Details about the issue can be found at https://kb.isc.org/article/AA-01471 . For Debian 7 "Wheezy", these problems have been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u16. We recommend that you upgrade your bind9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJZKs7BXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH0DUQAKHHpsaMFRZe+IOATOM4bZ1u qNHFbiN0b5jT2IxRA7A66ENPJrPC+NvvhObIlKs01OLLy0wkvyNxOlBZG4Y/m45U VIxNHiYeqUr/+WvJB88YzbzjVW9of91zlHbluWpw1onnXnM4KEWBaEZv2hYtoXt6 RFc742uR58liE0xSxrG4ksVcqmDSW7l8SvoW6oS07LNdWduLuHHYNYPM86rluLPk fh4Xm7FEVMbBSMkFrg6jNFlWk+Gh7Inm4Ey25kLxc/5Y97sNMcy+QJnnhi65zYD2 Ghu9PM4MehfSUYJN1w0dPDE0XM9R7G4iko6FKwLk9dWzXt8KLh32RomeQjvlNr5x GiY/UDbUeer9PCK35OXbm0KBQ+nZI3v9wHYcTclAfT48BjBQoq5lHzl69xl1SGNC UpJczgr4ZGyYY9DCbgImwXf04VarXBdgcLXimqdnRvoQcrleUohiIRIWI78S0aEW NkBzpMc7RciGLoF3rrDCHHIgkDkE4lmRyAm5xckaqAhuiuNNuaGO1YpaFRXNOjYc BwgKu4F/lIX/hrC4Pa3Xr9Oj+NQ8cOZqTwzCzVIjkguxx1igubLT2LdvHQp/PnKE VIbzo4Hx1rca9PHtIln7J0XcdCHJ/hG3d+bDCr1YTeGY7tdicy821UgqBFFAltJA 6194hC09ConqJ6m1p4Ww =lJWn -----END PGP SIGNATURE-----