CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash
First published: Wed Feb 08 2017(Updated: )
Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| ISC BIND | =9.9.3 | |
| ISC BIND | =9.9.3-s1 | |
| ISC BIND | =9.9.8 | |
| ISC BIND | =9.9.9-p5 | |
| ISC BIND | =9.9.9-s7 | |
| ISC BIND | =9.9.10-beta1 | |
| ISC BIND | =9.10.0 | |
| ISC BIND | =9.10.4-p1 | |
| ISC BIND | =9.10.4-p2 | |
| ISC BIND | =9.10.4-p3 | |
| ISC BIND | =9.10.4-p4 | |
| ISC BIND | =9.10.4-p5 | |
| ISC BIND | =9.10.5-beta1 | |
| ISC BIND | =9.11.0 | |
| ISC BIND | =9.11.0-p1 | |
| ISC BIND | =9.11.0-p2 | |
| ISC BIND | =9.11.1-beta1 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.3 | |
| Redhat Enterprise Linux Server Aus | =7.4 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Eus | =7.3 | |
| Redhat Enterprise Linux Server Eus | =7.4 | |
| Redhat Enterprise Linux Server Eus | =7.5 | |
| Redhat Enterprise Linux Server Eus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.3 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Netapp Data Ontap Edge | ||
| Netapp Element Software Management Node | ||
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.9-P6 BIND 9 version 9.10.4-P6 BIND 9 version 9.11.0-P3 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S8
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-3135
- https://security-tracker.debian.org/tracker/CVE-2016-8864
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855520
- https://kb.isc.org/article/AA-01453
- http://rhn.redhat.com/errata/RHSA-2017-0276.html
- http://www.securityfocus.com/bid/96150
- http://www.securitytracker.com/id/1037801
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us
- https://kb.isc.org/docs/aa-01453
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180926-0005/
- https://www.debian.org/security/2017/dsa-3795
- collector/debian-bugs
- alias/CVE-2017-3135
- collector/security-tracker-debian
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/references
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- package-manager/debian
- vendor/isc
- canonical/isc bind
- version/isc bind/9.9.3
- version/isc bind/9.9.3-s1
- version/isc bind/9.9.8
- version/isc bind/9.9.9-p5
- version/isc bind/9.9.9-s7
- version/isc bind/9.9.10-beta1
- version/isc bind/9.10.0
- version/isc bind/9.10.4-p1
- version/isc bind/9.10.4-p2
- version/isc bind/9.10.4-p3
- version/isc bind/9.10.4-p4
- version/isc bind/9.10.4-p5
- version/isc bind/9.10.5-beta1
- version/isc bind/9.11.0
- version/isc bind/9.11.0-p1
- version/isc bind/9.11.0-p2
- version/isc bind/9.11.1-beta1
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.3
- version/redhat enterprise linux server eus/7.4
- version/redhat enterprise linux server eus/7.5
- version/redhat enterprise linux server eus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.3
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/netapp
- canonical/netapp data ontap edge
- canonical/netapp element software management node
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0