oss-sec mailing list archives

Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public

From: ISC Security Officer <security-officer () isc org>
Date: Wed, 2 Sep 2015 22:52:30 +0200

Please be advised that ISC publicly announced two critical
vulnerabilities in BIND:

+ CVE-2015-5722 is a denial-of-service vector which can be
  exploited remotely against a BIND server that is performing
  validation on DNSSEC-signed records. All versions of BIND since
  9.0.0 are vulnerable.
  https://kb.isc.org/article/AA-01287

+ CVE-2015-5986 is a denial-of-service vector which can be used
  against a BIND server that is performing recursion and (under
  limited conditions) an authoritative-only nameserver.
  Versions of BIND since 9.9.7 and 9.10.2 are vulnerable.
  https://kb.isc.org/article/AA-01291


New releases of BIND, including security fixes for these
vulnerabilities, are available:

ftp://ftp.isc.org/isc/bind9/9.10.3rc1/RELEASE-NOTES.bind-9.10.3rc1.html
ftp://ftp.isc.org/isc/bind9/9.9.8rc1/RELEASE-NOTES.bind-9.9.8rc1.html
ftp://ftp.isc.org/isc/bind9/9.10.2-P4/RELEASE-NOTES.bind-9.10.2-P4.html
ftp://ftp.isc.org/isc/bind9/9.9.7-P3/RELEASE-NOTES.bind-9.9.7-P3.html

Marcin Siodelski
(as ISC Security Officer)

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public ISC Security Officer (Sep 02)
- Re: Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public Florian Weimer (Sep 03)
  - Re: Two new vulnerabilities in BIND: CVE-2015-5722 and CVE-2015-5986 are now public Mark Andrews (Sep 03)