[security-announce] Security Update: ISC BIND 9.10.3-P3: CVE-2016-2775 and CVE-2016-2776 (*HIGH*)

Sona Sarmadi sona.sarmadi at enea.com
Tue Nov 29 12:12:55 CET 2016


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (ISC BIND 9.10.3-P3)
Severity: Medium, High
Architecture: All
CVE Name: CVE-2016-2775 and CVE-2016-2776
====================================================================

Two vulnerabilities (CVE-2016-2775 and CVE-2016-2776) have been fixed in
ISC BIND 9.10.3-P3 in Enea Linux 6.0.

Description
===========
CVE-2016-2775:
ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before
9.11.0b2, when lwresd or the named lwres option is enabled, allows
remote attackers to cause a denial of service (daemon crash) via a long
request that uses the lightweight resolver protocol.

CVE-2016-2776:
buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before
9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct
responses, which allows remote attackers to cause a denial of service
(assertion failure and daemon exit) via a crafted query.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
https://kb.isc.org/article/AA-01393
https://kb.isc.org/article/AA-01419

Reference to the upstream fixes:
===============================
CVE-2016-2775:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=38cc2d14e218e536e0102fa70deef99461354232

CVE-2016-2776:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=2bd0922cf995b9ac205fc83baf7e220b95c6bf12

Correction for Enea Linux
=========================
http://git.enea.com/cgit/linux/poky.git/patch/?id=7343438092667d32878d18a33ab9a69c07a016df

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \ -b krogoth\ -m
<manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20161129/ebcc928b/attachment.sig>


More information about the security-announce mailing list