oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2018-5740 BIND (named vuln) and bad OVAL dict file maintenance

From: scrumpyjack () st ilet to
Date: Thu, 20 Sep 2018 12:52:28 +0100
hi there, and apologies if this isn't the correct place to turn to, but the OVAL boards have been inactive since 2015 and perhaps the people who maintain these files lurk here and will notice. 

In short:
CVE-2018-5740 Applies to named, when running, with a specific option set [1]
The OVAL [2] dictionaries (which are consumed by vulnerability scanners) for RedHat (and derivatives) [3],[4] lists the following packages as affected 

bind
bind-chroot
bind-devel
bind-libs
bind-libs-lite
bind-license
bind-lite-devel
bind-pkcs11
bind-pkcs11-devel
bind-pkcs11-libs
bind-pkcs11-utils
bind-sdb
bind-sdb-chroot
bind-utils
named is only contained in the bind package, and this list is causing no end of problems on hosts that, for example, only want bind-utils and dependencies (of which bind -containing named- is not). 

Could whoever maintains these take a look?

thank you for you time

[1] https://kb.isc.org/docs/aa-01639
[2] https://oval.mitre.org
[3] https://www.redhat.com/security/data/oval/
[4] https://linux.oracle.com/security/oval/
Previous By Date Next
Previous By Thread Next

Current thread: