oss-sec mailing list archives
Re: Multiple BIND vulnerabilities disclosed (CVE-2018-5743, CVE-2019-6467, and CVE-2019-6468)
From: Peter Korsgaard <peter () korsgaard com>
Date: Thu, 25 Apr 2019 12:13:37 +0200
"Michael" == Michael McNally <mcnally () isc org> writes:
Today ISC disclosed two vulnerabilities affecting BIND as well as a third vulnerability which affects *only* BIND Supported Preview Edition (a special feature-preview version of BIND provided to ISC support customers.)
Information about the vulnerabilities can be found in the ISC Knowledge Base:
CVE-2018-5743: Limiting simultaneous TCP clients is ineffective https://kb.isc.org/docs/cve-2018-5743
CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c https://kb.isc.org/docs/cve-2019-6467
CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used https://kb.isc.org/docs/cve-2019-6468
New releases of BIND have been issued to fix the vulnerabilities above. They may be downloaded from the ISC website: https://www.isc.org/downloads
- 9.11.6-P1 - 9.12.4-P1 - 9.14.1
It is a bit unfortunate that these security fixes now use isc_atomic_xadd() which are not available on all architectures: .libs/client.o: In function `mark_tcp_active': client.c:(.text+0xc7c): undefined reference to `isc_atomic_xadd' client.c:(.text+0xca0): undefined reference to `isc_atomic_xadd' .libs/client.o: In function `client_accept': client.c:(.text+0x2210): undefined reference to `isc_atomic_xadd' client.c:(.text+0x230c): undefined reference to `isc_atomic_xadd' .libs/client.o: In function `exit_check': client.c:(.text+0x2958): undefined reference to `isc_atomic_xadd' .libs/client.o:client.c:(.text+0x5cb4): more undefined references to `isc_atomic_xadd' follow collect2: error: ld returned 1 exit status :/ -- Bye, Peter Korsgaard
Current thread:
- Multiple BIND vulnerabilities disclosed (CVE-2018-5743, CVE-2019-6467, and CVE-2019-6468) Michael McNally (Apr 24)
- Re: Multiple BIND vulnerabilities disclosed (CVE-2018-5743, CVE-2019-6467, and CVE-2019-6468) Peter Korsgaard (Apr 25)