[security-announce] Security Update: bind: CVE-2016-2775 and CVE-2016-2776 (HIGH)
sona.sarmadi at enea.com
Fri Oct 28 14:15:03 CEST 2016
Enea Linux Security Advisory
Product/package: Enea Linux 6.0: (bind 9.10.3-P3)
Severity: Medium, High
CVE Name: CVE-2016-2775 and CVE-2016-2776
This security update fixes following vulnerabilities in bind 9.10.3-P3.
CVE-2016-2775: A query name which is too long can cause a segmentation
fault in lwresd.
CVE-2016-2776: Assertion Failure in buffer.c While Building Responses to
a Specifically Constructed Request.
ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before
9.11.0b2, when lwresd or the named lwres option is enabled, allows
remote attackers to cause a denial of service (daemon crash) via a long
request that uses the lightweight resolver protocol.
buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before
9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct
responses, which allows remote attackers to cause a denial of service
(assertion failure and daemon exit) via a crafted query.
Reference to the patch in the upstream branch (Yocto/OE)*
* Note: This fix is in the Yocto's staging area and will soon be merged.
If you need a quick security fix you can use this patch otherwise you
should wait until it gets merged to
How to get the latest patches
- If you have already cloned needed repositories, update it to get new
$ repo sync
- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).
Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
$ curl https://storage.googleapis.com/git-repo-downloads/repo >
$ chmod a+x ~/bin/repo
The instruction assumes that ~/bin exists and is included in the PATH
2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \
-m <manifest file>
$ repo sync
The parameter <manifest file> depends on the target:
If you have any questions regarding the security patches and security
updates please contact security at enea.com.
For gerneral security refer to Enea Linux Security page:
For the CVEs fixed at Enea Linux releases see CVE list:
For custom packages/releases please use the Support Channel:
Enea Security Team
Mobile: +46 70 971 4475
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the security-announce