| Beschreibung: | Summary:
The remote host is missing an update for the 'bind' package(s) announced via the MGASA-2017-0478 advisory.
Vulnerability Insight:
It was discovered that Bind incorrectly handled certain malformed responses
to an ANY query. A remote attacker could possibly use this issue to cause
Bind to crash, resulting in a denial of service (CVE-2016-9131).
It was discovered that Bind incorrectly handled certain malformed responses
to an ANY query. A remote attacker could possibly use this issue to cause
Bind to crash, resulting in a denial of service (CVE-2016-9147).
It was discovered that Bind incorrectly handled certain malformed DS record
responses. A remote attacker could possibly use this issue to cause Bind to
crash, resulting in a denial of service (CVE-2016-9444).
An error in handling certain queries can cause an assertion failure when a
server is using the nxdomain-redirect feature to cover a zone for which it is
also providing authoritative service. A vulnerable server could be
intentionally stopped by an attacker if it was using a configuration that met
the criteria for the vulnerability and if the attacker could cause it to accept
a query that possessed the required attributes (CVE-2016-9778).
It was discovered that Bind incorrectly handled rewriting certain query
responses when using both DNS64 and RPZ. A remote attacker could possibly
use this issue to cause Bind to crash, resulting in a denial of service
(CVE-2017-3135).
Oleg Gorokhov discovered that in some situations, Bind did not properly
handle DNS64 queries. An attacker could use this to cause a denial
of service (CVE-2017-3136).
It was discovered that the resolver in Bind made incorrect
assumptions about ordering when processing responses containing
a CNAME or DNAME. An attacker could use this cause a denial of
service (CVE-2017-3137).
Mike Lalumiere discovered that in some situations, Bind did
not properly handle invalid operations requested via its control
channel. An attacker with access to the control channel could cause
a denial of service (CVE-2017-3138).
Clement Berthaux discovered that Bind did not correctly check TSIG
authentication for zone transfer requests. An attacker could use this
to improperly transfer entire zones (CVE-2017-3142).
Clement Berthaux discovered that Bind did not correctly check TSIG
authentication for zone update requests. An attacker could use this
to improperly perform zone updates (CVE-2017-3143).
Affected Software/OS:
'bind' package(s) on Mageia 5.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
