Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • aports aports
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 726
    • Issues 726
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 374
    • Merge requests 374
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpine
  • aportsaports
  • Issues
  • #10168

Closed
Open
Created Mar 27, 2019 by Alicha CH@alichaReporter

[3.7] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)

CVE-2018-5744: A specially crafted packet can cause named to leak memory

A flaw was found in Bind. A failure to free memory can occur when processing messages having a specific combination of EDNS options,
causing named’s memory use to grow without bounds until all memory is exhausted.

Versions affected:

BIND 9.10.7 ->9.10.8-P1, 9.11.3 ->9.11.5-P1, 9.12.0 -> 9.12.3-P1

Reference:

https://kb.isc.org/docs/cve-2018-5744

CVE-2018-5745: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys

A flaw was found in Bind. Due to an error in the managed-keys feature it is possible for a BIND server which
uses managed-keys to exit due to an assertion failure causing denial of service.

Versions affected:

BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P1, 9.12.0 -> 9.12.3-P1

Fixed In Version:

bind 9.11.5-P4, bind 9.12.3-P4

Reference:

https://kb.isc.org/docs/cve-2018-5745

CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective

A flaw was found in Bind. Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable.
A client exercising this defect can request and receive a zone transfers of a DLZ even when not permitted to do so by the allow-transfer ACL.

Versions affected:

BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P2, 9.12.0 -> 9.12.3-P2

Fixed In Version:

bind 9.11.5-P4, bind 9.12.3-P4

Reference:

https://kb.isc.org/docs/cve-2019-6465

(from redmine: issue id 10168, created on 2019-03-27, closed on 2019-04-15)

  • Relations:
    • parent #10164 (closed)
  • Changesets:
    • Revision 3142e793 by Chris Ely on 2019-04-12T06:09:47Z:
main/bind: security upgrade to 9.11.5_p4

https://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html

- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
- CVE-2018-5740
- CVE-2018-5738

Fixes #10168

With the release of BIND 9.11.0, ISC changed to the open source license
for BIND from the ISC license to the Mozilla Public License (MPL 2.0).

BIND 9.11 (Extended Support Version) will be supported until at least
December, 2021.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking