ASA-201902-25 generated external raw

[ASA-201902-25] bind: multiple issues
Arch Linux Security Advisory ASA-201902-25 ========================================== Severity: High Date : 2019-02-25 CVE-ID : CVE-2018-5744 CVE-2018-5745 CVE-2019-6465 Package : bind Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-915 Summary ======= The package <a href="/package/bind">bind</a> before version 9.13.7-1 is vulnerable to multiple issues including denial of service and access restriction bypass. Resolution ========== Upgrade to 9.13.7-1. # pacman -Syu "bind>=9.13.7-1" The problems have been fixed upstream in version 9.13.7. Workaround ========== None. Description =========== - CVE-2018-5744 (denial of service) A failure to free memory can occur when processing messages having a specific combination of EDNS options has been found in <a href="/package/bind">bind</a> before 9.13.7. By exploiting this condition, an attacker can potentially cause named's memory use to grow without bounds until all memory available to the process is exhausted. Typically a server process is limited as to the amount of memory it can use but if the named process is not limited by the operating system all free memory on the server could be exhausted. - CVE-2018-5745 (denial of service) "managed-keys" is a feature which allows a <a href="/package/bind">BIND</a> resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Before 9.13.7, due to an error in the managed-keys feature, it is possible for a <a href="/package/bind">BIND</a> server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. - CVE-2019-6465 (access restriction bypass) Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable in <a href="/package/bind">bind</a> before 9.13.7. A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL. Impact ====== A remote user can bypass the allow-transfer ACL to access sensitive information in a DLZ, or crash the server. References ========== https://kb.isc.org/docs/cve-2018-5744 https://kb.isc.org/docs/cve-2018-5745 https://kb.isc.org/docs/cve-2019-6465 https://security.archlinux.org/CVE-2018-5744 https://security.archlinux.org/CVE-2018-5745 https://security.archlinux.org/CVE-2019-6465