"Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.

Michael McNally

unread,

Jan 11, 2017, 7:01:40 PM1/11/17

to bind-...@lists.isc.org

ISC has issued new security releases of BIND today, correcting
three exploitable vulnerabilities discovered in the course of our
internal fuzz-testing and an additional exploitable vulnerability
reported to us by a contributor.

The issues are:

CVE-2016-9131
CVE-2016-9147
CVE-2016-9444
CVE-2016-9778

and details about each can be found in the BIND Security Advisories
section of the ISC Knowledge Base:

https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/

New security releases have been issued which correct the vulnerabilities.
These are available via the http://www.isc.org/downloads web page:

BIND 9.9.9-P5
BIND 9.10.4-P5
BIND 9.11.0-P2

We encourage all parties using or distributing BIND to upgrade to these
versions as soon as possible so that they may be protected from the
vulnerabilities now that they have been publicly disclosed.

Michael McNally
ISC Security Officer

G.W. Haywood

unread,

Jan 12, 2017, 7:44:31 AM1/12/17

to bind-...@lists.isc.org

Hi there,

On Thu, 12 Jan 2017, Michael McNally wrote:

> ISC has issued new security releases of BIND today [..snip..]

> These are available via the http://www.isc.org/downloads web page:
>
> BIND 9.9.9-P5
> BIND 9.10.4-P5
> BIND 9.11.0-P2
>

> ...

I'm trying to get BIND 9.9.9-P5 from the downloads page, but
it seems to be giving me something else...

--

73,
Ged.

Andrew

unread,

Jan 12, 2017, 8:22:09 AM1/12/17

to bind-...@lists.isc.org

Looks all is correctly delivered ( all three versions of tar.gz ) from
my side ( UA )

12.01.2017 14:44, G.W. Haywood пишет:

G.W. Haywood

unread,

Jan 12, 2017, 10:37:37 AM1/12/17

to bind-...@lists.isc.org

Hello again,

On Thu, 12 Jan 2017, Andrey Fanin wrote:

> On Thu, 12 Jan 2017, G.W. Haywood wrote:
> > On Thu, 12 Jan 2017, Michael McNally wrote:
> >
> > > ISC has issued new security releases of BIND today [..snip..]
> >

> > I'm trying to get BIND 9.9.9-P5 from the downloads page, but
> > it seems to be giving me something else...
>

> Looks all is correctly delivered ( all three versions of tar.gz )
> from my side ( UA )

Maybe it makes a difference that I'm in England, and using IPv6?

laptop3:~$ >>> wget https://www.isc.org/downloads/file/bind-9-9-10b1/?version=tar-gz -O bind.tgz
--2017-01-12 15:16:37-- https://www.isc.org/downloads/file/bind-9-9-10b1/?version=tar-gz
Resolving www.isc.org (www.isc.org)... 2001:4f8:0:2::69, 149.20.64.69
Connecting to www.isc.org (www.isc.org)|2001:4f8:0:2::69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘bind.tgz’

bind.tgz [.........=>.......] 8.98M 89.5KB/s in 71s

2017-01-12 15:17:50 (129 KB/s) - ‘bind.tgz’ saved [9414022]

laptop3:~$ >>> tar tzvf bind.tgz | head
drwxr-xr-x each/wheel 0 2016-12-29 22:25 bind-9.10.5b1/
-rw-r--r-- each/wheel 52 2016-12-29 22:22 bind-9.10.5b1/.gitattributes
-rw-r--r-- each/wheel 14 2016-12-29 22:25 bind-9.10.5b1/srcid
-rw-r--r-- each/wheel 88 2016-12-29 22:22 bind-9.10.5b1/Atffile
-rw-r--r-- each/wheel 479504 2016-12-29 22:22 bind-9.10.5b1/CHANGES
-rw-r--r-- each/wheel 27137 2016-12-29 22:22 bind-9.10.5b1/COPYRIGHT
-rw-r--r-- each/wheel 33543 2016-12-29 22:22 bind-9.10.5b1/FAQ
-rw-r--r-- each/wheel 45917 2016-12-29 22:22 bind-9.10.5b1/FAQ.xml
-rw-r--r-- each/wheel 12791 2016-12-29 22:22 bind-9.10.5b1/HISTORY
-rw-r--r-- each/wheel 3609 2016-12-29 22:22 bind-9.10.5b1/Makefile.in

--

73,
Ged.

project722

unread,

Jan 12, 2017, 10:51:53 AM1/12/17

to G.W. Haywood, bind-...@lists.isc.org

Is there a way to mitigate these vulnerabilities outside of updating BIND? We use RHEL and have to wait on the official patch they provide. Our Bind version is 9.8.2 for RHEL 6 and 9.9.4 for RHEL 7.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Phil Mayers

unread,

Jan 12, 2017, 10:55:37 AM1/12/17

to bind-...@lists.isc.org

On 12/01/17 15:37, G.W. Haywood wrote:

> Maybe it makes a difference that I'm in England, and using IPv6?

FWIW I see the same thing - also UK-based on IPv6 but traceroute shows
I'm hitting a server in the US so I doubt that's relevant. Download of:

https://www.isc.org/downloads/file/bind-9-9-10b1/?version=tar-gz

...contains:

rwxr-xr-x each/wheel 0 2016-12-29 22:25 bind-9.10.5b1/

...i.e. 9.9.10b1 tarballs claims contents of 9.10.5b1

Dennis Clarke

unread,

Jan 12, 2017, 12:38:02 PM1/12/17

to bind-...@lists.isc.org

On 01/12/2017 03:51 PM, project722 wrote:
> Is there a way to mitigate these vulnerabilities outside of updating

The source code from ISC is the official patch.

> We use RHEL and have to wait on the official patch they provide.

I run Solaris servers from Oracle and I build iscbind named service
from sources from ISC and that is the official patch.

> Our Bind version is 9.8.2 for RHEL 6 and 9.9.4 for RHEL 7.

Yes, Red Hat is very slow to release security patches.

Really, you need to make a slight adjustment and realize that the real
patch is from ISC and then you make the decision to wait for someone
else to compile it in for you ( Red Hat or whomever ) or just do it
yourself and then you know it is done and you even know it was done
correctly and as a real bonus you know who did it.

Dennis Clarke
d...@genunix.com