[security-announce] Security Update: bind: CVE-2016-1285, CVE-2016-1286 *HIGH*

Sona Sarmadi sona.sarmadi at enea.com
Fri Apr 8 08:45:48 CEST 2016


	Enea Linux Security Advisory

=========================================================
Product/package: bind 9.9.5/ Enea Linux 5.0
Severity: High
CVE Name: CVE-2016-1285, CVE-2016-1286
Layer: meta
=========================================================

This security update fixes following vulnerabilities in bind 9.9.5:
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion
failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure

Description:
CVE-2016-1285
named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows
remote attackers to cause a denial of service (assertion failure and
daemon exit) via a malformed packet to the rndc (aka control channel)
interface, related to alist.c and sexpr.c.

CVE-2016-1286
named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows
remote attackers to cause a denial of service (assertion failure and
daemon exit) via a crafted signature record for a DNAME record, related
to db.c and resolver.c.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286

References to the Upstream commits and Security Advisories:
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=31e4657cf246e41d4c5c890315cb6cf89a0db25a

CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7

CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=ce3cd91caee698cb144e1350c6c78292c6be6339

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=c6477d7bc514c951746d6b717c033475fc45f3fc

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160408/f8ec1d37/attachment.sig>


More information about the security-announce mailing list