Is CVE-2015-4650 a duplicate, leak, or just a typo?

[Florian Weimer <fweimer () redhat com>]

Some documents use CVE-2015-4650 to refer to a vulnerability in BIND.
Apparently, they source back to

<https://www.alienvault.com/forums/discussion/5706/security-advisory-alienvault-v5-1-addresses-6-vulnerabilities>

which says:

“
Debian Security Update
AlienVault ID: ENG-101265
Description: name.c in named in ISC BIND 9.7.x through 9.9.x before
9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive
resolver with DNSSEC validation, allows remote attackers to cause a
denial of service (REQUIRE assertion failure and daemon exit) by
constructing crafted zone data and then making a query for a name in
that zone.
CVE ID: CVE-2015-4650
CVSS v2 Base Score: 7.8
CVSS v2 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:N)
”

That description seems to match CVE-2015-4620, so I'm leaning towards typo:

<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4620>

I don't know how this came into being.  Debian does not appear
responsible, the immutable list archives use the correct ID:

<https://lists.debian.org/debian-lts-announce/2015/07/msg00008.html>
<https://lists.debian.org/debian-security-announce/2015/msg00200.html>

Comments appreciated.

-- 
Florian Weimer / Red Hat Product Security