ESB-2018.0171 - [Win][UNIX/Linux][Debian] bind9: Denial of service - Remote/unauthenticated 2018-01-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0171
        bind9 security update fixes denial of service vulnerability
                              17 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           bind9
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3145  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4089

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running bind9 check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4089-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 16, 2018                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2017-3145

Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server
implementation, was improperly sequencing cleanup operations, leading in
some cases to a use-after-free error, triggering an assertion failure
and crash in named.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:9.9.5.dfsg-9+deb8u15.

For the stable distribution (stretch), this problem has been fixed in
version 1:9.10.3.dfsg.P4-12.3+deb9u4.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpedglfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QpmhAAi8d529DGMZOzcaRyvyWEa+Hth+CLca5y/4Wugv/BrRjTn+tDzYriNatW
wtLQLWZOiyxtPvcQjU+lwxRzSh4r++JorSbTdq6SNSKK1VTe67yCst0n7O5k9jhb
G31FXHeXyYjp7JMGPxQ1T6xwvbjpOnI3wwE7LkxZY69Lo/bOLoeiY9BDojdkuexd
KK4vPQFkMwrARszjEb3QriCJbkhv8uiCA0vg15cD4zFJJ3yYiB/+sVJScc7jnSwo
pxdSSIQrYzRNNN5vqkTV6JHta+fwX3taN4U5Ov7QD3v5NkL/yR53Wv3V2O7jlfLs
0AV2Lhm3CyB2VGp0XzTSIGvUvlROGDmsSvwM+QT+zbg5+7JVu3UI25YpL7faJ5oy
MPmj/w+tZkFepxFuRjV8LwSdcP1JtNd9UIN/5ugbOk6R95vse5WXwQKa1eZ6a7X2
3sTwlFC2aN9kLfD51ROzYKb0sJbgu9tEscJYJ6kz77pSA0LZ22K37XHq80z3wuLh
xCCS3YEjxVl/Zh+qLmAekZgKih2lWGt5inTstRzcVqzJlJoz1xoLBR7LoEW9sp1R
4XcGxh38QGdpxTs6sr71cRIPr6DpA1tpDt5EOaIw+nIC/t0JxVvbX6V15UYTd6++
X4hS2czq3HAR8J52MlMSjyXrdvp4u6Drta0D/axxa/YAHI5KXWA=
=84Lf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWl6Nj4x+lLeg9Ub1AQi1Kg/7BqZHcigqcaPhDR2YtNTqhh7oZl/ewn4b
5XP0KMLqGM5ek4mGqyXqq83hq/foAHMDV2FtdND9gKQ4dXvg2AwOqsDWNlBax7m3
Qojoyf+eh6GPAvTK07D6VYBtqd1cwnyJC9YHy21hrvQKRQOyzbwKCNaFbGmVAMgZ
+ADCff0/3whe1ht/gY+oA7zS0zGr7PV9FyNb06QY5JgflPpSPdXcoW6zM3ttasvx
uHyLoX9ROVaCRb+2RDJYQHKfctNno9b35IKNR9+8HOg4IUn7USoFtG1LJ783DW5o
MFrvwtv4lsQ/1Ehl5JRtO9XjS+3U0YK//0d7iFdDoca4rMV8B/U0LipN5WdLoYP4
QsjK3hnsrAHhuFz68Ij9XRhc+aF7QgTkUPfS2fuKJQBe32K/weKKwJ/aAuti+jxI
5RS+JpR0Y0JdUjpZAa5eN0xrTR9TpsCS45rBNhm+7aw91JK1h81zNjLYA+WhXOgH
9Zi5FZjv5xYDgpR5/GSy4/rhd7Q7paWZ5QSBV+chdMC8v3jv+OK5UjnOEMtToFEO
n/tzB61SnEHKCY46yL9BF7EENDHGSdpamAKbMkhYujMnjDMOHDjDFA9dVxNo8gH0
pAMldTjPAHrfHo6LNBKtzPEmzNEu8LNueiXBuPIZBhE6zlvyG7d6/lI/aB4bzq6Z
ISEyzu3Loa8=
=YRAh
-----END PGP SIGNATURE-----

« Back to bulletins