Subject: [ASA-201707-3] bind: access restriction bypass Arch Linux Security Advisory ASA-201707-3 ========================================= Severity: High Date : 2017-07-04 CVE-ID : CVE-2017-3142 CVE-2017-3143 Package : bind Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-335 Summary ======= The package bind before version 9.11.1.P2-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 9.11.1.P2-1. # pacman -Syu "bind>=9.11.1.P2-1" The problems have been fixed upstream in version 9.11.1.P2. Workaround ========== None. Description =========== - CVE-2017-3142 (access restriction bypass) An error in TSIG authentication has been found in Bind <= 9.11.1-P1, allowing a remote attacker to bypass authentication in order to perform unauthorized zone transfers or forge NOTIFY packets. The attacker needs to have knowledge of the key name, and should be allowed by the other ACL restrictions if any. - CVE-2017-3143 (access restriction bypass) An error in TSIG authentication has been found in Bind <= 9.11.1-P1, allowing a remote attacker to bypass authentication in order to perform unauthorized zone updates, altering the content of the zone. The attacker needs to have knowledge of the key name, and should be allowed by the other ACL restrictions if any. Impact ====== A remote attacker can bypass authentication in order to retrieve or update the content of a zone. References ========== https://kb.isc.org/article/AA-01504/74/CVE-2017-3142%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-zone-transfers.html https://kb.isc.org/article/AA-01503/74/CVE-2017-3143%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-dynamic-updates.html https://security.archlinux.org/CVE-2017-3142 https://security.archlinux.org/CVE-2017-3143