[3.9] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
CVE-2018-5744: A specially crafted packet can cause named to leak memory
A flaw was found in Bind. A failure to free memory can occur when
processing messages having a specific combination of EDNS options,
causing named’s memory use to grow without bounds until all memory is
exhausted.
Versions affected:
BIND 9.10.7 ->9.10.8-P1, 9.11.3 ->9.11.5-P1, 9.12.0 -> 9.12.3-P1
Reference:
https://kb.isc.org/docs/cve-2018-5744
CVE-2018-5745: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
A flaw was found in Bind. Due to an error in the managed-keys feature it
is possible for a BIND server which
uses managed-keys to exit due to an assertion failure causing denial of
service.
Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P1, 9.12.0 -> 9.12.3-P1
Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
Reference:
https://kb.isc.org/docs/cve-2018-5745
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
A flaw was found in Bind. Controls for zone transfers may not be
properly applied to Dynamically Loadable Zones (DLZs) if the zones are
writable.
A client exercising this defect can request and receive a zone transfers
of a DLZ even when not permitted to do so by the allow-transfer ACL.
Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P2, 9.12.0 -> 9.12.3-P2
Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
Reference:
https://kb.isc.org/docs/cve-2019-6465
(from redmine: issue id 10166, created on 2019-03-27, closed on 2019-04-15)
- Relations:
- parent #10164 (closed)
- Changesets:
- Revision a72d66cd by Chris Ely on 2019-04-12T06:06:29Z:
main/bind: security upgrade to 9.12.3-P4
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
Fixes #10166
- Revision f760ea50 by Chris Ely on 2019-04-15T06:43:36Z:
main/bind: security upgrade to 9.12.3_p4
https://ftp.isc.org/isc/bind9/9.12.3-P4/RELEASE-NOTES-bind-9.12.3-P4.html
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
- CVE-2018-5740
- CVE-2018-5738
- CVE-2018-5737
- CVE-2018-5736
Fixes #10166
BIND is open source software licenced under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
BIND 9.12 will be supported until at least May, 2019.