Bugzilla – Bug 1157051
VUL-0: CVE-2019-6477: bind: TCP Pipelining doesn't limit TCP clients on a single connection
Last modified: 2022-06-10 10:35:22 UTC
See https://build.opensuse.org/request/show/750049
Public: https://seclists.org/oss-sec/2019/q4/92 Today (2019-11-20) ISC announced a vulnerability in our BIND 9 software. CVE-2019-6477, TCP-pipelined queries can bypass tcp-clients limit This issue affects BIND 9.11, BIND 9.14, and BIND 9.15. Our full CVE text can be found at: https://kb.isc.org/docs/cve-2019-6477 New releases of BIND, including security fixes for this vulnerability, are available at: https://www.isc.org/download Release notes for the new versions can be obtained using the following links: https://downloads.isc.org/isc/bind9/9.15.6/RELEASE-NOTES-bind-9.15.6.html https://downloads.isc.org/isc/bind9/9.14.8/RELEASE-NOTES-bind-9.14.8.html https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bind-9.11.13.html
The fix has never made it into SLE-12-SP4. Can you prepare a submission?
(In reply to Wolfgang Frisch from comment #9) > The fix has never made it into SLE-12-SP4. > Can you prepare a submission? I just checked out SUSE:SLE-12-SP4:Update/bind and the patch is definitely there! Upon comparing the source with the patch, I stumbled across a bug which may have been introduced when applying the patch, so I'll make a (1-line) patch and submit that, but the bulk of the patch has been applied!
(In reply to Josef Möllers from comment #12) > (In reply to Wolfgang Frisch from comment #9) > > The fix has never made it into SLE-12-SP4. > > Can you prepare a submission? > > I just checked out SUSE:SLE-12-SP4:Update/bind and the patch is definitely > there! > Upon comparing the source with the patch, I stumbled across a bug which may > have been introduced when applying the patch, so I'll make a (1-line) patch > and submit that, but the bulk of the patch has been applied! Just an addition: SUSE:SLE-12-SP4:Update/bind should have version 9.11.22!
An update of bind to version 9.11.22 is pending (see https://build.suse.de/request/show/224886) Any idea what is delaying that?
SUSE-SU-2020:2914-1: An update that solves 12 vulnerabilities, contains one feature and has 8 fixes is now available. Category: security (moderate) Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079 CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 JIRA References: ECO-1402 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8 SUSE Linux Enterprise Server 15-LTSS (src): bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8 SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): bind-9.16.6-12.32.1 SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): bind-9.16.6-12.32.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): sysuser-tools-2.0-4.2.8 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
As per comment #16
openSUSE-SU-2020:1699-1: An update that solves 12 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079 CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 JIRA References: Sources used: openSUSE Leap 15.2 (src): bind-9.16.6-lp152.14.3.1, libuv-1.18.0-lp152.4.3.1, sysuser-tools-2.0-lp152.5.3.1
openSUSE-SU-2020:1701-1: An update that solves 12 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079 CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 JIRA References: Sources used: openSUSE Leap 15.1 (src): bind-9.16.6-lp151.11.9.1, libuv-1.18.0-lp151.3.3.1, sysuser-tools-2.0-lp151.4.3.1
Done, closing.