From owner-svn-ports-all@freebsd.org Thu Apr 13 03:58:34 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4959AD3BC3E; Thu, 13 Apr 2017 03:58:34 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F4174279; Thu, 13 Apr 2017 03:58:33 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3D3wXu7009618; Thu, 13 Apr 2017 03:58:33 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3D3wWFm009616; Thu, 13 Apr 2017 03:58:32 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201704130358.v3D3wWFm009616@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Thu, 13 Apr 2017 03:58:32 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r438420 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2017 03:58:34 -0000 Author: delphij Date: Thu Apr 13 03:58:32 2017 New Revision: 438420 URL: https://svnweb.freebsd.org/changeset/ports/438420 Log: Document BIND multiple vulnerabilities. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Apr 13 03:55:56 2017 (r438419) +++ head/security/vuxml/vuln.xml Thu Apr 13 03:58:32 2017 (r438420) @@ -58,6 +58,72 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + BIND -- multiple vulnerabilities + + + bind99 + 9.9.9P8 + + + bind910 + 9.10.4P8 + + + bind911 + 9.11.0P5 + + + bind9-devel + 9.12.0.a.2017.04.12 + + + + +

ISC reports:

+
A query with a specific set of characteristics could + cause a server using DNS64 to encounter an assertion + failure and terminate.
+
An attacker could deliberately construct a query, + enabling denial-of-service against a server if it + was configured to use the DNS64 feature and other + preconditions were met.
+

+
Mistaken assumptions about the ordering of records in + the answer section of a response containing CNAME or + DNAME resource records could lead to a situation in + which named would exit with an assertion failure when + processing a response in which records occurred in an + unusual order.
+

+
named contains a feature which allows operators to + issue commands to a running server by communicating + with the server process over a control channel, + using a utility program such as rndc.
+
A regression introduced in a recent feature change + has created a situation under which some versions of + named can be caused to exit with a REQUIRE assertion + failure if they are sent a null command string.
+

+ + + + CVE-2017-3136 + CVE-2017-3137 + CVE-2017-3138 + https://kb.isc.org/article/AA-01465/0 + https://kb.isc.org/article/AA-01466/0 + https://kb.isc.org/article/AA-01471/0 + + + 2017-04-12 + 2017-04-13 + + + id Tech 3 -- remote code execution vulnerability