bind: DNS query issues (CVE-2015-4620, CVE-2015-5477)
An attacker who can cause a validating resolver to query a zone containing specifically constructed contents can cause that resolver to fail an assertion and terminate due to a defect in validation code.
Versions affected: BIND 9.7.1 ->9.7.7, 9.8.0 ->9.8.8, 9.9.0 ->9.9.7, 9.10.0 ->9.10.2-P1.
A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a “REQUIRE” failure in name.c when validating the data returned in answer to a recursive query.
This means that a recursive resolver that is performing DNSSEC validation can be deliberately stopped by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone.
A recursive resolver that is performing DNSSEC validation can be deliberately terminated by any attacker who can cause a query to be performed against a maliciously constructed zone. This will result in a denial of service to clients who rely on that resolver.
DNSSEC validation is only performed by a recursive resolver if it has “dnssec-validation auto;” in its configuration or if it has a root trust anchor defined and has “dnssec-validation yes;” set (either by accepting the default or via an explicitly set value of “yes”.) By default ISC BIND recursive servers will not validate. (However, ISC defaults may have been changed by your distributor.)
TKEY query handling flaw leading to denial of service
Versions affected: BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3
A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remote attacker could use this flaw to make named (functioning as an authoritative DNS server or a DNS resolver) exit unexpectedly with an assertion failure via a specially crafted DNS request packet.
(from redmine: issue id 4505, created on 2015-08-03, closed on 2015-08-05)