oss-sec mailing list archives
Is CVE-2015-4650 a duplicate, leak, or just a typo?
From: Florian Weimer <fweimer () redhat com>
Date: Wed, 12 Aug 2015 14:32:41 +0200
Some documents use CVE-2015-4650 to refer to a vulnerability in BIND. Apparently, they source back to <https://www.alienvault.com/forums/discussion/5706/security-advisory-alienvault-v5-1-addresses-6-vulnerabilities> which says: “ Debian Security Update AlienVault ID: ENG-101265 Description: name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone. CVE ID: CVE-2015-4650 CVSS v2 Base Score: 7.8 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:N) ” That description seems to match CVE-2015-4620, so I'm leaning towards typo: <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4620> I don't know how this came into being. Debian does not appear responsible, the immutable list archives use the correct ID: <https://lists.debian.org/debian-lts-announce/2015/07/msg00008.html> <https://lists.debian.org/debian-security-announce/2015/msg00200.html> Comments appreciated. -- Florian Weimer / Red Hat Product Security
Current thread:
- Is CVE-2015-4650 a duplicate, leak, or just a typo? Florian Weimer (Aug 12)
- Re: Is CVE-2015-4650 a duplicate, leak, or just a typo? ISC Security Officer (Aug 12)
- Re: Is CVE-2015-4650 a duplicate, leak, or just a typo? Michael McNally (Aug 14)
- Re: Is CVE-2015-4650 a duplicate, leak, or just a typo? ISC Security Officer (Aug 12)