Описание
Security update for bind
This update for bind fixes the following issues:
CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion.
CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64.
CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure.
CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message.
CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.
One additional non-security bug was fixed:
The default umask was changed to 077. (bsc#1020983)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP1
SUSE Linux Enterprise Software Development Kit 12 SP2
Ссылки
- Link for SUSE-SU-2017:0998-1
- E-Mail link for SUSE-SU-2017:0998-1
- SUSE Security Ratings
- SUSE Bug 1020983
- SUSE Bug 1033466
- SUSE Bug 1033467
- SUSE Bug 1033468
- SUSE Bug 987866
- SUSE Bug 989528
- SUSE CVE CVE-2016-2775 page
- SUSE CVE CVE-2016-6170 page
- SUSE CVE CVE-2017-3136 page
- SUSE CVE CVE-2017-3137 page
- SUSE CVE CVE-2017-3138 page
Описание
ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.
Затронутые продукты
Ссылки
- CVE-2016-2775
- SUSE Bug 989528
Описание
ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.
Затронутые продукты
Ссылки
- CVE-2016-6170
- SUSE Bug 1028603
- SUSE Bug 987866
Описание
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8.
Затронутые продукты
Ссылки
- CVE-2017-3136
- SUSE Bug 1018700
- SUSE Bug 1018701
- SUSE Bug 1018702
- SUSE Bug 1024130
- SUSE Bug 1033461
- SUSE Bug 1033466
- SUSE Bug 1081545
Описание
Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8.
Затронутые продукты
Ссылки
- CVE-2017-3137
- SUSE Bug 1018700
- SUSE Bug 1018701
- SUSE Bug 1018702
- SUSE Bug 1024130
- SUSE Bug 1033461
- SUSE Bug 1033466
- SUSE Bug 1033467
- SUSE Bug 1034162
- SUSE Bug 1076118
- SUSE Bug 1081545
Описание
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
Затронутые продукты
Ссылки
- CVE-2017-3138
- SUSE Bug 1018700
- SUSE Bug 1018701
- SUSE Bug 1018702
- SUSE Bug 1024130
- SUSE Bug 1033461
- SUSE Bug 1033466
- SUSE Bug 1033468