[3.6] bind: Multiple vulnerabilities (CVE-2017-3136, CVE-2017-3137, CVE-2017-3138)
CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with “break-dnssec yes;”
Affected versions:
9.8.0 ->9.8.8-P1, 9.9.0 ->9.9.9-P6, 9.9.10b19.9.10rc1, 9.10.0>9.10.4-P6,
9.10.5b19.10.5rc1,
9.11.0>9.11.0-P3, 9.11.1b19.11.1rc1, 9.9.3-S1>9.9.9-S8
Fixed in:
BIND 9 version 9.9.9-P8
BIND 9 version 9.10.4-P8
BIND 9 version 9.11.0-P5
References:
CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
Affected versions:
9.9.9-P6, 9.9.10b19.9.10rc1,
9.10.4-P6, 9.10.5b1>9.10.5rc1, 9.11.0-P3,
9.11.1b1->9.11.1rc1, and 9.9.9-S8
Fixed in:
BIND 9 version 9.9.9-P8
BIND 9 version 9.10.4-P8
BIND 9 version 9.11.0-P5
References:
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
Affected versions:
9.9.99.9.9-P7,
9.9.10b1>9.9.10rc2, 9.10.49.10.4-P7, 9.10.5b1>9.10.5rc2,
9.11.09.11.0-P4,
9.11.1b1>9.11.1rc2, 9.9.9-S1->9.9.9-S9
Fixed in:
BIND 9 version 9.9.9-P8
BIND 9 version 9.10.4-P8
BIND 9 version 9.11.0-P5
References:
(from redmine: issue id 7141, created on 2017-04-14, closed on 2017-04-25)
- Relations:
- parent #7140 (closed)
- Changesets:
- Revision d3fda9ff by Sergei Lukin on 2017-04-14T14:12:39Z:
main/bind: security upgrade to 9.11.0_p5 - fixes #7141
CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel