Bug 936476 - (CVE-2015-4620) VUL-0: CVE-2015-4620: bind: resolver crash when validating
(CVE-2015-4620)
VUL-0: CVE-2015-4620: bind: resolver crash when validating
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:62180
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-29 20:36 UTC by Andreas Stieger
Modified: 2020-09-24 14:57 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-06-29 20:36:58 UTC
Created attachment 639588 [details]
bind9-patch-CVE-2015-4620

CRD: 2015-06-30 17:00 UTC

Hello, ISC BIND package maintainers,

ISC is planning on announcing a vulnerability tomorrow (2015-06-30)
around 1000 PDT (1700 UTC).

  CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver
  to Crash when Validating, affecting BIND versions 9.7.1+

Please refrain from public announcement and publication of new packages
until after we have made our public announcement.

The BIND 9.9.7-P1 and 9.10.2-P2 versions will include the fix for this 
issue. A patch to correct this issue is also attached to this message 
which may be used to build replacement BIND packages for your users.

SHA256 (bind9-patch-CVE-2015-4620) = 
c5209ff7927eb6997d555af241927041f162ff455b8fb3547cfe24fe385424ab

In keeping with our prior communication and commitments, we will
not be producing a patch specifically for BIND 9.8 which is beyond
its End of Life (EOL) and no longer supported by ISC.

Jeremy Reed
ISC Security Officer
Comment 1 Swamp Workflow Management 2015-06-30 05:58:11 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-07-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62141
Comment 2 Andreas Stieger 2015-06-30 17:13:08 UTC
CRD moved to
CRD: 2015-07-07
Comment 3 Swamp Workflow Management 2015-06-30 22:00:16 UTC
bugbot adjusting priority
Comment 9 Johannes Segitz 2015-07-08 08:34:35 UTC
public
Comment 10 Swamp Workflow Management 2015-07-08 13:08:40 UTC
SUSE-SU-2015:1204-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 918330,936476
CVE References: CVE-2015-1349,CVE-2015-4620
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    bind-9.9.6P1-18.1
SUSE Linux Enterprise Server 12 (src):    bind-9.9.6P1-18.1
SUSE Linux Enterprise Desktop 12 (src):    bind-9.9.6P1-18.1
Comment 11 Swamp Workflow Management 2015-07-08 14:08:38 UTC
SUSE-SU-2015:1205-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 918330,936476
CVE References: CVE-2015-1349,CVE-2015-4620
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    bind-9.9.6P1-0.7.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    bind-9.9.6P1-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    bind-9.9.6P1-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    bind-9.9.6P1-0.7.1
Comment 12 Swamp Workflow Management 2015-07-16 12:08:45 UTC
openSUSE-SU-2015:1250-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 908994,918330,936476,937028
CVE References: CVE-2014-8500,CVE-2015-1349,CVE-2015-4620
Sources used:
openSUSE 13.2 (src):    bind-9.9.6P1-2.4.1
Comment 13 Swamp Workflow Management 2015-07-16 13:08:31 UTC
openSUSE-SU-2015:1250-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 908994,918330,936476,937028
CVE References: CVE-2014-8500,CVE-2015-1349,CVE-2015-4620
Sources used:
openSUSE 13.1 (src):    bind-9.9.4P2-2.11.1
Comment 14 Swamp Workflow Management 2015-07-31 10:08:48 UTC
openSUSE-SU-2015:1326-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 918330,936476,939567
CVE References: CVE-2015-1349,CVE-2015-4620,CVE-2015-5477
Sources used:
openSUSE Evergreen 11.4 (src):    bind-9.9.4P2-66.1
Comment 15 Marcus Meissner 2015-07-31 14:21:39 UTC
released all of them
Comment 16 Alexander Bergmann 2015-08-18 14:06:45 UTC
CVE-2015-4650 was somehow mentioned for this problem. Leaving this comment just for reference.

http://seclists.org/oss-sec/2015/q3/331