ArchLinux: 201701-15: bind: denial of service
Summary
- CVE-2016-9131 (denial of service)
A denial of service flaw was found in the way BIND processed a response
to an ANY query. A remote attacker could use this flaw to make named
exit unexpectedly with an assertion failure via a specially crafted DNS
response.
- CVE-2016-9147 (denial of service)
A denial of service flaw was found in the way BIND handled a query
response containing inconsistent DNSSEC information. A remote attacker
could use this flaw to make named exit unexpectedly with an assertion
failure via a specially crafted DNS response.
- CVE-2016-9444 (denial of service)
A denial of service flaw was found in the way BIND handled an
unusually-formed DS record response. A remote attacker could use this
flaw to make named exit unexpectedly with an assertion failure via a
specially crafted DNS response.
- CVE-2016-9778 (denial of service)
A denial of service flaw was found in the way BIND handled certain
queries using the nxdomain-redirect feature to cover a zone for which
it is also providing authoritative service. A remote attacker could use
this flaw to make named exit unexpectedly with an assertion failure via
a specially crafted DNS response.
Resolution
Upgrade to 9.11.0.P2-1.
# pacman -Syu "bind>=9.11.0.P2-1"
The problems have been fixed upstream in version 9.11.0.P2.
References
https://security.archlinux.org/CVE-2016-9131 https://security.archlinux.org/CVE-2016-9147 https://security.archlinux.org/CVE-2016-9444 https://security.archlinux.org/CVE-2016-9778
Workaround
None