oss-sec mailing list archives
CVE-2018-5740 BIND (named vuln) and bad OVAL dict file maintenance
From: scrumpyjack () st ilet to
Date: Thu, 20 Sep 2018 12:52:28 +0100
hi there, and apologies if this isn't the correct place to turn to, but the OVAL boards have been inactive since 2015 and perhaps the people who maintain these files lurk here and will notice.
In short:CVE-2018-5740 Applies to named, when running, with a specific option set [1]
The OVAL [2] dictionaries (which are consumed by vulnerability scanners) for RedHat (and derivatives) [3],[4] lists the following packages as affected
bind bind-chroot bind-devel bind-libs bind-libs-lite bind-license bind-lite-devel bind-pkcs11 bind-pkcs11-devel bind-pkcs11-libs bind-pkcs11-utils bind-sdb bind-sdb-chroot bind-utilsnamed is only contained in the bind package, and this list is causing no end of problems on hosts that, for example, only want bind-utils and dependencies (of which bind -containing named- is not).
Could whoever maintains these take a look? thank you for you time [1] https://kb.isc.org/docs/aa-01639 [2] https://oval.mitre.org [3] https://www.redhat.com/security/data/oval/ [4] https://linux.oracle.com/security/oval/
Current thread:
- CVE-2018-5740 BIND (named vuln) and bad OVAL dict file maintenance scrumpyjack (Sep 20)