[security-announce] bind: Security Update

Tudor Florea tudor.florea at enea.com
Fri Nov 13 11:28:58 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                Enea Linux Security Advisory

=========================================================
Product/package: Enea Linux 5.0-Arm / bind
Severity: Medium
CVE Names: CVE-2015-1349, CVE-2015-4620, CVE-2015-5722
Layer: meta
=========================================================

This security update fixes following vulnerabilities:
CVE-2015-1349: Revoking a managed trust anchor and supplying an untrusted
replacement could cause an assertion failure.
CVE-2015-4620: Abort Denial of Service caused by uninitialized value
use in isselfsigned()
CVE-2015-5722: Malformed DNSSEC key could lead to an assertion failure.


Description:
===========
CVE-2015-1349:
named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x
before 9.10.1-P2, when DNSSEC validation and the managed-keys feature
are enabled, allows remote attackers to cause a denial of service
(assertion failure and daemon exit, or daemon crash) by triggering an
incorrect trust-anchor management scenario in which no key is ready
for use.

CVE-2015-4620:
name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and
9.10.x before 9.10.2-P2, when configured as a recursive resolver with
DNSSEC validation, allows remote attackers to cause a denial of
service (REQUIRE assertion failure and daemon exit) by constructing
crafted zone data and then making a query for a name in that zone.


CVE-2015-5722:
buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before
9.10.2-P4 allows remote attackers to cause a denial of service
(assertion failure and daemon exit) by creating a zone containing a
malformed DNSSEC key and issuing a query for a name in that zone.


References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722
https://kb.isc.org/article/AA-01235/74/CVE-2015-1349%3A-A-Problem-with-Trust-Anchor-Management-Can-Cause-named-to-Crash.html
https://kb.isc.org/article/AA-01267/74/CVE-2015-4620%3A-Specially-Constructed-Zone-Data-Can-Cause-a-Resolver-to-Crash-when-Validating.html
https://kb.isc.org/article/AA-01287/74/CVE-2015-5722%3A-Parsing-malformed-keys-may-cause-BIND-to-exit-due-to-a-failed-assertion-in-buffer.c.html

Correction for Enea Linux
http://git.enea.com/cgit/linux/poky.git/commit/?h=dizzy&id=b6105680bfb85915e0012c456118441c4c74463d

How to get the latest patches
=============================
If you have already cloned poky, update it to get new security patches.

cd Enea-Linux-5.0/poky/
git pull

If you have not yet cloned needed repositories, do it as described below.

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git;
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Tudor Florea
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWRbtpAAoJEAoFCsylVO/VFC4P/2fpUiOkdQzTQXeCiyVltjGn
YLLYkesgQoopsKTOvxiD8O5IGaM7xl/9UG/sJ6xMkPnJvGzbXmclp7vfo2PkzDHy
Ix+xYM7OtW/jX7AexITI4rAsNCdnfp/NLoKIJze9lsb2ngPQYPu5c1p7bE8PRn+G
vYLAntkb+jvKadqyUypInyXbGtu/DIePsoGEU0jMPoUzeJhBo3tKMAQk3Y4ET6iL
XoSkq0gkCGOSM0XJ6z3bRa9QiWvFULPiV2soSLBgrLa8//7xM+ZjjbIMPftVdX0V
1kIA3JNct0EeviSKJAxJtgylujDURN1DuwX32nVJwquZNICSbPC/8WTK6aB3m22M
XYnJB0z+GlnVP2RSWS2hS/g9efhhZorWMdhUcH/1bmu4y32wqq281sKBY0pdNldD
pX1rJHet577QlPk6TsUJ5kSevasgSnDUmjkhC85aOyRBn9Ipgdp2J0HijZc/iFS6
GbM5fsaaOn6jHtsB9nuX68uG82tPIafKr8qBVRQkmEVhWUkjqcZqYxx3r7Nv5nLi
GW1ZvGK8HyJSOoY21WsV+6mceJVgykKgD0+KzblM6OMK4FhQ9Esp9BqCYypYNMcl
s8e4Z0Y5L8BHuThlOnU3mKb2YOLX7E0BZPDav2iM84qE4lUh19tsJPF+Nbnl23g3
9rbBCVUQ0Rwftkba9bRl
=XYlF
-----END PGP SIGNATURE-----



More information about the security-announce mailing list