SB2015121618 - Slackware Linux update for bind
Published: December 16, 2015 Updated: May 6, 2017
Security Bulletin ID
SB2015121618
Severity
Medium
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2015-3193)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists in the Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl on the x86_64 platform, as used by the BN_mod_exp function, due to mishandling of carry propagation and producing incorrect output. A remote attacker can gain potentially sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
2) Assertion failure (CVE-ID: CVE-2015-8000)
A remote attacker can trigger denial of service (DoS) conditions.The vulnerability exists due to a parsing error when processing incoming responses within db.c file. A remote attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion, causing named to exit and denying service to clients.
Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack.
3) Race condition (CVE-ID: CVE-2015-8461)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Race condition in resolver.c in named in ISC BIND 9.9.8 before 9.9.8-P2 and 9.10.3 before 9.10.3-P2 allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via unspecified vectors.
Remediation
Install update from vendor's website.