Arch Linux 201509-2 High Severity Advisory: Bind DoS Threat

Arch Linux Security Advisory ASA-201509-2
========================================
Severity: High
Date    : 2015-09-03
CVE-ID  : CVE-2015-5722 CVE-2015-5986
Package : bind
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package bind before version 9.10.2.P4-1 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 9.10.2.P4-1.

# pacman -Syu "bind>=9.10.2.P4-1"

The problem has been fixed upstream in versions 9.9.7-P3 and 9.10.2-P4.

Workaround
=========
CVE-2015-5722 might be mitigated by disabling DNSSEC validation. However
this is not recommended by ISC as it would increase the risk of other
types of DNS attacks.

Description
==========
- CVE-2015-5722 (Parsing malformed keys may cause BIND to exit due to a
failed assertion in buffer.c):

Parsing a malformed DNSSEC key can cause a validating resolver to exit
due to a failed assertion in buffer.c. It is possible for a remote
attacker to deliberately trigger this condition, for example by using a
query which requires a response from a zone containing a deliberately
malformed key.

- CVE-2015-5986 (An incorrect boundary check can trigger a REQUIRE
assertion failure in openpgpkey_61.c):

An incorrect boundary check in openpgpkey_61.c can cause named to
terminate due to a REQUIRE assertion failure. This defect can be
deliberately exploited by an attacker who can provide a maliciously
constructed response in answer to a query.

Impact
=====
A remote attacker can crash a recursive server by causing a query to be
sent for a specially crafted DNS zone she controls, causing denial of
service.
A remote attacker might be able to crash an authoritative server if she
controls a zone the server must query against to perform its zone
service, causing denial of service.

References
=========
https://access.redhat.com/security/cve/CVE-2015-5722
https://access.redhat.com/security/cve/CVE-2015-5986