svn commit: r438420 - head/security/vuxml
Xin LI
delphij at FreeBSD.org
Thu Apr 13 03:58:34 UTC 2017
Author: delphij
Date: Thu Apr 13 03:58:32 2017
New Revision: 438420
URL: https://svnweb.freebsd.org/changeset/ports/438420
Log:
Document BIND multiple vulnerabilities.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Apr 13 03:55:56 2017 (r438419)
+++ head/security/vuxml/vuln.xml Thu Apr 13 03:58:32 2017 (r438420)
@@ -58,6 +58,72 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="c6861494-1ffb-11e7-934d-d05099c0ae8c">
+ <topic>BIND -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>bind99</name>
+ <range><lt>9.9.9P8</lt></range>
+ </package>
+ <package>
+ <name>bind910</name>
+ <range><lt>9.10.4P8</lt></range>
+ </package>
+ <package>
+ <name>bind911</name>
+ <range><lt>9.11.0P5</lt></range>
+ </package>
+ <package>
+ <name>bind9-devel</name>
+ <range><le>9.12.0.a.2017.04.12</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ISC reports:</p>
+ <blockquote cite="https://kb.isc.org/article/AA-01465/0">
+ <p>A query with a specific set of characteristics could
+ cause a server using DNS64 to encounter an assertion
+ failure and terminate.</p>
+ <p>An attacker could deliberately construct a query,
+ enabling denial-of-service against a server if it
+ was configured to use the DNS64 feature and other
+ preconditions were met.</p>
+ </blockquote>
+ <blockquote cite="https://kb.isc.org/article/AA-01466/0">
+ <p>Mistaken assumptions about the ordering of records in
+ the answer section of a response containing CNAME or
+ DNAME resource records could lead to a situation in
+ which named would exit with an assertion failure when
+ processing a response in which records occurred in an
+ unusual order.</p>
+ </blockquote>
+ <blockquote cite="https://kb.isc.org/article/AA-01471/0">
+ <p>named contains a feature which allows operators to
+ issue commands to a running server by communicating
+ with the server process over a control channel,
+ using a utility program such as rndc.</p>
+ <p>A regression introduced in a recent feature change
+ has created a situation under which some versions of
+ named can be caused to exit with a REQUIRE assertion
+ failure if they are sent a null command string.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-3136</cvename>
+ <cvename>CVE-2017-3137</cvename>
+ <cvename>CVE-2017-3138</cvename>
+ <url>https://kb.isc.org/article/AA-01465/0</url>
+ <url>https://kb.isc.org/article/AA-01466/0</url>
+ <url>https://kb.isc.org/article/AA-01471/0</url>
+ </references>
+ <dates>
+ <discovery>2017-04-12</discovery>
+ <entry>2017-04-13</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e48355d7-1548-11e7-8611-0090f5f2f347">
<topic>id Tech 3 -- remote code execution vulnerability</topic>
<affects>
More information about the svn-ports-head
mailing list