Security Advisory Important: bind security update

Advisory: RHSA-2016:0078-1
Type: Security Advisory
Severity: Important
Issued on: 2016-01-28
Last updated on: 2016-01-28
Affected Products: Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server AUS (v. 6.5)
CVEs ( CVE-2014-8500


Updated bind packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 6.4 and 6.5 Advanced Update Support.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.

A denial of service flaw was found in the way BIND followed DNS
delegations. A remote attacker could use a specially crafted zone
containing a large number of referrals which, when looked up and processed,
would cause named to use excessive amounts of memory or crash.

A flaw was found in the way BIND handled requests for TKEY DNS resource
records. A remote attacker could use this flaw to make named (functioning
as an authoritative DNS server or a DNS resolver) exit unexpectedly with an
assertion failure via a specially crafted DNS request packet.

A denial of service flaw was found in the way BIND parsed certain malformed
DNSSEC keys. A remote attacker could use this flaw to send a specially
crafted DNS query (for example, a query requiring a response from a zone
containing a deliberately malformed key) that would cause named functioning
as a validating resolver to crash. (CVE-2015-5722)

A denial of service flaw was found in the way BIND processed certain
records with malformed class attributes. A remote attacker could use this
flaw to send a query to request a cached record with a malformed class
attribute that would cause named functioning as an authoritative or
recursive server to crash. (CVE-2015-8000)

Note: This issue affects authoritative servers as well as recursive
servers, however authoritative servers are at limited risk if they perform
authentication when making recursive queries to resolve addresses for
servers listed in NS RRSETs.

Red Hat would like to thank ISC for reporting the CVE-2015-5477,
CVE-2015-5722, and CVE-2015-8000 issues. Upstream acknowledges Jonathan
Foote as the original reporter of CVE-2015-5477, and Hanno Böck as the
original reporter of CVE-2015-5722.

All bind users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
update, the BIND daemon (named) will be restarted automatically.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

Updated packages

Red Hat Enterprise Linux Server AUS (v. 6.4)

File outdated by:  RHSA-2017:1582
    MD5: 5bcff5911424d250a3a04ad31186e62c
SHA-256: b959991678bbf3f7af8f6f0333fa3a259039e8289b00277f7b4d9fdaecdcbf53
File outdated by:  RHSA-2017:1582
    MD5: cea335ff6874dac37e5c300e586b7bb6
SHA-256: 1e0f29e4e943c1ad7b67c8f9909c64a91cb20bacca6c1e5191980ebca4affb00
File outdated by:  RHSA-2017:1582
    MD5: 51d54d43716f9afae93b88c22932977a
SHA-256: bd4d152e1c1b7285a38acc660909c92640f57e5dfb488807576a5962d148dd61
File outdated by:  RHSA-2017:1582
    MD5: ab730b44588c7b1c27913aed370896ca
SHA-256: 21008a38a9ecb4e309fa594b886a9d5a72748699a2044d21cb4dc43a08ab6077
File outdated by:  RHSA-2017:1582
    MD5: 87b74c5987d375ad425b99744235f7dd
SHA-256: 3bbd7bb5b1dc8dfb11a0aa228ae23a23cc825abce3248f3ea8e20f4e6d82501c
File outdated by:  RHSA-2017:1582
    MD5: a767212c6ca37bcdc48a824891d981de
SHA-256: fc737b72a4c6c8ae64c01f8140f7fe431a075c839cc1943a8e238103ca766869
File outdated by:  RHSA-2017:1582
    MD5: ecdf8911fa3f0b7d1aad5e0e6aefbd2f
SHA-256: 186932cff78f5c7669749cbf26e33bc0cb0b08304dd02143c66ed562143b0ac5
File outdated by:  RHSA-2017:1582
    MD5: d40c979a5f7e185919c56d7b68545dcc
SHA-256: be5d208ad675d465ba5e1284ab93e4ded830108512f49687ada6973cdb1b1da0
File outdated by:  RHSA-2017:1582
    MD5: efe58521440d33caa7dbf3df84282d79
SHA-256: ae026db9c3965aadd76f34d1d74e657e4780ef8094aed491a28eeda9a2c6656b
File outdated by:  RHSA-2017:1582
    MD5: 16dd33709b03b879663d31858f95c896
SHA-256: 0baf1d897b5ce67c37fab7ceae01ff8817524d03e9434be2c74123bdfc72366b
File outdated by:  RHSA-2017:1582
    MD5: cadf032694a71bb52b0c694e180343ad
SHA-256: dbddd24171c1afe1f2752bc64b5b8af385b6569b78607518ba7c42f532d32715
Red Hat Enterprise Linux Server AUS (v. 6.5)

File outdated by:  RHSA-2017:1582
    MD5: a82ac9174ec2d2ffcf8a692691b9bfb9
SHA-256: d5771a77469cc7d1cbe9586366cd166f0b5bd5d4be89271f2167a42f43b029e3
File outdated by:  RHSA-2017:1582
    MD5: badac2d77b1ecb12910dda7af12cae8f
SHA-256: fca0ceb4e12fa86dd5bbac450619f4f127080f29541b70963a5ef495b997e3b3
File outdated by:  RHSA-2017:1582
    MD5: ab4b129f3193f3cfbeaade03d8131856
SHA-256: 57e7b37d6ad2bce8dc25b5f62b78b1c18028fb39c9d41a7c8e9b8fbae7d58a53
File outdated by:  RHSA-2017:1582
    MD5: e05e1d21f0368cd0a5ff3f9bd53ee38d
SHA-256: c6694c99198d030934c75413bb242479759f80d508b1e7924d4fa225f5363f4f
File outdated by:  RHSA-2017:1582
    MD5: dc188bf0d89e7e2d22b1610024a6a166
SHA-256: 43bde2740c963f666efed4d3beae319d752fd8d3b821feef5828c072e6c9cc1d
File outdated by:  RHSA-2017:1582
    MD5: 3864ce20c56581f821f5fcbc5a66059e
SHA-256: 10f82cf7bc72892e6a2c6e99dec56abe6970f6bb166161553ad56de6e94c8c38
File outdated by:  RHSA-2017:1582
    MD5: 93b1b9ae4931ae9c691919e3b5d16361
SHA-256: 079cb42b78f2db81d7cf6a9dee221d28c79b6b48635ad545c849ee4a694e941d
File outdated by:  RHSA-2017:1582
    MD5: 7abd91bf5af314c85897846abf8226b3
SHA-256: 5730df1fe33337e5304e1169af85aeef2ada651e6d72359aa622ebdab83edd5b
File outdated by:  RHSA-2017:1582
    MD5: bf0fda72668ecc5b1b5c9e91ebca0b0d
SHA-256: b690c43b7df683239eee03e96559b63c32b55fb01c3caf89de82362e1cd2228e
File outdated by:  RHSA-2017:1582
    MD5: dd593777bc2d5a586867af7cd7f4a766
SHA-256: d2b631ca1281bdc1efb38a1559a8d1a06d521c092d8f2ca8052baa1f4e85842d
File outdated by:  RHSA-2017:1582
    MD5: 5574e15e93a8761196e28eee25a2f74e
SHA-256: 76751127ff8840f1b2e4065918ad92c6d79e85c0435efe5617bc1b703556dc22
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1171912 - CVE-2014-8500 bind: delegation handling denial of service
1247361 - CVE-2015-5477 bind: TKEY query handling flaw leading to denial of service
1259087 - CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service
1291176 - CVE-2015-8000 bind: responses with a malformed class attribute can trigger an assertion failure in db.c


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at