Bugzilla – Bug 1126069
VUL-0: CVE-2019-6465: bind: Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable.
Last modified: 2020-05-12 18:34:10 UTC
embargoed via distros CRD: 2019-02-21 CVE-2019-6465: Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable. CVE: CVE-2019-6465 Document version: 2.0 Posting date: 21 February 2019 Program impacted: BIND Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.5-W1 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465. Severity: Medium Exploitable: Remotely Description: Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable. Impact: A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL. CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. Workarounds: None Active exploits: None known. Solution: Upgrade to the patched release most closely related to your current version of BIND: + BIND 9.11.5-P4 + BIND 9.12.3-P4
now public CVE-2019-6465: Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable. https://kb.isc.org/docs/cve-2019-6465
Navin, could you please submit for all affected code streams?
SUSE-SU-2019:1407-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Server Applications 15 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bind-9.11.2-12.11.2 SUSE Linux Enterprise Module for Basesystem 15 (src): bind-9.11.2-12.11.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14074-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): bind-9.9.6P1-0.51.15.4 SUSE Linux Enterprise Point of Sale 11-SP3 (src): bind-9.9.6P1-0.51.15.4 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bind-9.9.6P1-0.51.15.4 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bind-9.9.6P1-0.51.15.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1449-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): bind-9.9.9P1-28.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1532-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: openSUSE Leap 42.3 (src): bind-9.9.9P1-56.1
openSUSE-SU-2019:1533-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: openSUSE Leap 15.1 (src): bind-9.11.2-lp151.11.3.1 openSUSE Leap 15.0 (src): bind-9.11.2-lp150.8.13.1
SUSE-SU-2019:1406-2: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1104129,1126068,1126069,1133185 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 Sources used: SUSE CaaS Platform 3.0 (src): bind-9.9.9P1-63.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2502-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1104129,1118367,1118368,1126068,1126069,1128220,1133185,1138687 CVE References: CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465,CVE-2019-6471 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bind-9.11.2-3.10.1 SUSE Linux Enterprise Server 12-SP4 (src): bind-9.11.2-3.10.1 SUSE Linux Enterprise Desktop 12-SP4 (src): bind-9.11.2-3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done