id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 6697,bind9.10.2-P2 and BIND Utilities-9.10.2-P2,Fernando de Oliveira,bdubbs@…,"[ftp://ftp.isc.org/isc/bind9/9.10.2-P2/bind-9.10.2-P2.tar.gz] [ftp://ftp.isc.org/isc/bind9/9.10.2-P2/bind-9.10.2-P2.tar.gz.sha512.asc] [https://kb.isc.org/article/AA-01267] {{{ CVE-2015-4620: Specially Cbind9.10.2-P1 and BIND Utilities-9.10.2-P1onstructed Zone Data Can Cause a Resolver to Crash when Validating Author: Michael McNally Reference Number: AA-01267 Views: 2884 Created: 2015-06-16 19:57 Last Updated: 2015-07-07 18:15 An attacker who can cause a validating resolver to query a zone containing specifically constructed contents can cause that resolver to fail an assertion and terminate due to a defect in validation code. CVE: CVE-2015-4620 Document Version: 2.0 Posting date: 7 July 2015 Program Impacted: BIND Versions affected: BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7, 9.10.0 -> 9.10.2-P1. Severity: Critical Exploitable: Remotely Description: A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a ""REQUIRE"" failure in name.c when validating the data returned in answer to a recursive query. This means that a recursive resolver that is performing DNSSEC validation can be deliberately stopped by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone. Impact: A recursive resolver that is performing DNSSEC validation can be deliberately terminated by any attacker who can cause a query to be performed against a maliciously constructed zone. This will result in a denial of service to clients who rely on that resolver. DNSSEC validation is only performed by a recursive resolver if it has ""dnssec-validation auto;"" in its configuration or if it has a root trust anchor defined and has ""dnssec-validation yes;"" set (either by accepting the default or via an explicitly set value of ""yes"".) By default ISC BIND recursive servers will not validate. (However, ISC defaults may have been changed by your distributor.) CVSS Score: 7.8 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) }}} [ftp://ftp.isc.org/isc/bind9/9.10.2-P2/CHANGES] [ftp://ftp.isc.org/isc/bind9/9.10.2-P2/RELEASE-NOTES-9.10.2-P2.txt] {{{ Release Notes for BIND Version 9.10.2-P2 Introduction This document summarizes changes since BIND 9.10.2: BIND 9.10.2-P2 addresses a security issue described in CVE-2015-4620. BIND 9.10.2-P1 addressed several bugs that have been identified ... Security Fixes * On servers configured to perform DNSSEC validation an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] New Features * None Feature Changes * None Bug Fixes ... }}}",enhancement,closed,high,7.8,BOOK,SVN,normal,fixed,,