ArchLinux: 201805-20: bind: denial of service
Summary
- CVE-2018-5736 (denial of service)
An error in zone database reference counting can lead to an assertion
failure if a server which is running an affected version of BIND
attempts several transfers of a slave zone in quick succession.
- CVE-2018-5737 (denial of service)
A problem with the implementation of the new serve-stale feature in
BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-
answer-enable is off.
Resolution
Upgrade to 9.12.1.P2-1.
# pacman -Syu "bind>=9.12.1.P2-1"
The problems have been fixed upstream in version 9.12.1.P2.
References
https://marc.info/ https://security.archlinux.org/CVE-2018-5736 https://security.archlinux.org/CVE-2018-5737
Workaround
- CVE-2018-5736For servers which must receive notifies to keep slave zone contentscurrent, no complete workarounds are known although restricting BIND toonly accept NOTIFY messages from authorised sources can greatlymitigate the risk of attack.- CVE-2018-5737Setting "max-stale-ttl 0;" in named.conf will prevent exploitation ofthis vulnerability (but will effectively disable the serve-stalefeature.)