Date: Thu, 13 Apr 2017 03:58:32 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r438420 - head/security/vuxml Message-ID: <201704130358.v3D3wWFm009616@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Thu Apr 13 03:58:32 2017 New Revision: 438420 URL: https://svnweb.freebsd.org/changeset/ports/438420 Log: Document BIND multiple vulnerabilities. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Apr 13 03:55:56 2017 (r438419) +++ head/security/vuxml/vuln.xml Thu Apr 13 03:58:32 2017 (r438420) @@ -58,6 +58,72 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="c6861494-1ffb-11e7-934d-d05099c0ae8c"> + <topic>BIND -- multiple vulnerabilities</topic> + <affects> + <package> + <name>bind99</name> + <range><lt>9.9.9P8</lt></range> + </package> + <package> + <name>bind910</name> + <range><lt>9.10.4P8</lt></range> + </package> + <package> + <name>bind911</name> + <range><lt>9.11.0P5</lt></range> + </package> + <package> + <name>bind9-devel</name> + <range><le>9.12.0.a.2017.04.12</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>ISC reports:</p> + <blockquote cite="https://kb.isc.org/article/AA-01465/0">; + <p>A query with a specific set of characteristics could + cause a server using DNS64 to encounter an assertion + failure and terminate.</p> + <p>An attacker could deliberately construct a query, + enabling denial-of-service against a server if it + was configured to use the DNS64 feature and other + preconditions were met.</p> + </blockquote> + <blockquote cite="https://kb.isc.org/article/AA-01466/0">; + <p>Mistaken assumptions about the ordering of records in + the answer section of a response containing CNAME or + DNAME resource records could lead to a situation in + which named would exit with an assertion failure when + processing a response in which records occurred in an + unusual order.</p> + </blockquote> + <blockquote cite="https://kb.isc.org/article/AA-01471/0">; + <p>named contains a feature which allows operators to + issue commands to a running server by communicating + with the server process over a control channel, + using a utility program such as rndc.</p> + <p>A regression introduced in a recent feature change + has created a situation under which some versions of + named can be caused to exit with a REQUIRE assertion + failure if they are sent a null command string.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2017-3136</cvename> + <cvename>CVE-2017-3137</cvename> + <cvename>CVE-2017-3138</cvename> + <url>https://kb.isc.org/article/AA-01465/0</url>; + <url>https://kb.isc.org/article/AA-01466/0</url>; + <url>https://kb.isc.org/article/AA-01471/0</url>; + </references> + <dates> + <discovery>2017-04-12</discovery> + <entry>2017-04-13</entry> + </dates> + </vuln> + <vuln vid="e48355d7-1548-11e7-8611-0090f5f2f347"> <topic>id Tech 3 -- remote code execution vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704130358.v3D3wWFm009616>