Bug 1193820 (CVE-2015-1349)
| Summary: | CVE-2015-1349 bind: issue in trust anchor management can cause named to crash | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | btotty, magoldma, mdshaikh, mjc, mkalyat, security-response-team, thozza, vchepkov, vkaigoro, yozone | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | BIND 9.9.7, BIND 9.10.2 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
A flaw was found in the way BIND handled trust anchor management. A remote attacker could use this flaw to cause the BIND daemon (named) to crash under certain conditions.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-03-11 03:51:47 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1197618, 1197619, 1197620, 1197621 | ||||||||
| Bug Blocks: | 1193821 | ||||||||
| Attachments: |
|
||||||||
|
Description
Vasyl Kaigorodov
2015-02-18 10:31:54 UTC
Created attachment 993044 [details]
bind9-patch-v9_10_1-CVE-2015-1349
Created attachment 993045 [details]
bind9-patch-v9_9_6-CVE-2015-1349
Acknowledgements: Red Hat would like to thank ISC for reporting this issue. Looking at bind9-patch-v9_9_6-CVE-2015-1349, and at RHEL code, it appear that RHEL 5 (bind-9.3.6-P1) is not affected by this (does not contain affected code), and both RHEL-6 (bind-9.8.2rc1) and RHEL-7 (bind-9.9.4) are affected by this issue. There is also bind97 component in RHEL-5 which, according to upstream, is also affected. setting NEEDINFO due to comment #6 bind-9.9.6-8.P1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. bind-9.9.4-18.P2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. External References: https://kb.isc.org/article/AA-01235/0/CVE-2015-1349%3A-A-Problem-with-Trust-Anchor-Management-Can-Cause-named-to-Crash.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:0672 https://rhn.redhat.com/errata/RHSA-2015-0672.html Statement: Red Hat Enterprise Linux 5 ships with both bind (9.3) packages which are not affected by this issue, and bind97 packages, which are affected by this issue. Red Hat Enterprise Linux 5 is now in Production Phase 3 of the support and maintenance life cycle. This issue is not currently planned to be addressed in future bind97 updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |