[3.7] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
CVE-2018-5744: A specially crafted packet can cause named to leak memory
A flaw was found in Bind. A failure to free memory can occur when
processing messages having a specific combination of EDNS options,
causing named’s memory use to grow without bounds until all memory is
exhausted.
Versions affected:
BIND 9.10.7 ->9.10.8-P1, 9.11.3 ->9.11.5-P1, 9.12.0 -> 9.12.3-P1
Reference:
https://kb.isc.org/docs/cve-2018-5744
CVE-2018-5745: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
A flaw was found in Bind. Due to an error in the managed-keys feature it
is possible for a BIND server which
uses managed-keys to exit due to an assertion failure causing denial of
service.
Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P1, 9.12.0 -> 9.12.3-P1
Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
Reference:
https://kb.isc.org/docs/cve-2018-5745
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
A flaw was found in Bind. Controls for zone transfers may not be
properly applied to Dynamically Loadable Zones (DLZs) if the zones are
writable.
A client exercising this defect can request and receive a zone transfers
of a DLZ even when not permitted to do so by the allow-transfer ACL.
Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P2, 9.12.0 -> 9.12.3-P2
Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
Reference:
https://kb.isc.org/docs/cve-2019-6465
(from redmine: issue id 10168, created on 2019-03-27, closed on 2019-04-15)
- Relations:
- parent #10164 (closed)
- Changesets:
- Revision 3142e793 by Chris Ely on 2019-04-12T06:09:47Z:
main/bind: security upgrade to 9.11.5_p4
https://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
- CVE-2018-5740
- CVE-2018-5738
Fixes #10168
With the release of BIND 9.11.0, ISC changed to the open source license
for BIND from the ISC license to the Mozilla Public License (MPL 2.0).
BIND 9.11 (Extended Support Version) will be supported until at least
December, 2021.