Vulnerabilities > CVE-2016-8864 - Reachable Assertion vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
isc
netapp
redhat
debian
CWE-617
nessus

Summary

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.

Vulnerable Configurations

Part Description Count
Application
Isc
1115
Application
Netapp
3
OS
Redhat
31
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0034.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix CVE-2016-9147 (ISC change 4510) - Fix regression introduced by CVE-2016-8864 (ISC change 4530)
    last seen2020-06-01
    modified2020-06-02
    plugin id96591
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96591
    titleOracleVM 3.2 : bind (OVMSA-2017-0034)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2017-0034.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96591);
      script_version("3.8");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2016-8864", "CVE-2016-9147");
    
      script_name(english:"OracleVM 3.2 : bind (OVMSA-2017-0034)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - Fix CVE-2016-9147 (ISC change 4510)
    
      - Fix regression introduced by CVE-2016-8864 (ISC change
        4530)"
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2017-January/000623.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0a34de07"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected bind-libs / bind-utils packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:bind-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:bind-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.2", reference:"bind-libs-9.3.6-25.P1.el5_11.12")) flag++;
    if (rpm_check(release:"OVS3.2", reference:"bind-utils-9.3.6-25.P1.el5_11.12")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bind-libs / bind-utils");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-96B7F4F53E.NASL
    descriptionSecurity fix for CVE-2017-3135 (unaffected), fixes regression made by CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-06
    plugin id97536
    published2017-03-06
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97536
    titleFedora 25 : bind99 (2017-96b7f4f53e)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL35322517.NASL
    descriptionnamed in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. (CVE-2016-8864)
    last seen2020-06-01
    modified2020-06-02
    plugin id97154
    published2017-02-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97154
    titleF5 Networks BIG-IP : BIND vulnerability (K35322517)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161103_BIND_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864)
    last seen2020-03-18
    modified2016-12-15
    plugin id95834
    published2016-12-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95834
    titleScientific Linux Security Update : bind on SL7.x x86_64 (20161103)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2706-1.NASL
    descriptionThis update for bind fixes the following issues : - A defect in BIND
    last seen2020-06-01
    modified2020-06-02
    plugin id94507
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94507
    titleSUSE SLES11 Security Update : bind (SUSE-SU-2016:2706-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2142.NASL
    descriptionAn update for bind97 is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94503
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94503
    titleRHEL 5 : bind97 (RHSA-2016:2142)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1272.NASL
    descriptionThis update for bind fixes the following issues : - A defect in BIND
    last seen2020-06-05
    modified2016-11-08
    plugin id94619
    published2016-11-08
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94619
    titleopenSUSE Security Update : bind (openSUSE-2016-1272)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2871.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, Red Hat Enterprise Linux 6.5 Telco Extended Update Support, Red Hat Enterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux 6.6 Telco Extended Update Support, and Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id95563
    published2016-12-06
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95563
    titleRHEL 6 : bind (RHSA-2016:2871)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2696-1.NASL
    descriptionThis update for bind fixes the following security issue : - A defect in BIND
    last seen2020-06-01
    modified2020-06-02
    plugin id94504
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94504
    titleSUSE SLES12 Security Update : bind (SUSE-SU-2016:2696-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-8E39076950.NASL
    descriptionSecurity fix for CVE-2016-6170 ---- Security fix for CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-25
    plugin id95305
    published2016-11-25
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95305
    titleFedora 23 : bind99 (2016-8e39076950)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-9417B4C1DC.NASL
    descriptionAllow zone size limit (CVE-2016-6170) ---- Security fix for CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-17
    plugin id94926
    published2016-11-17
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94926
    titleFedora 24 : bind99 (2016-9417b4c1dc)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161102_BIND97_ON_SL5_X.NASL
    descriptionSecurity Fix(es) : - A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864)
    last seen2020-03-18
    modified2016-11-04
    plugin id94570
    published2016-11-04
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94570
    titleScientific Linux Security Update : bind97 on SL5.x i386/x86_64 (20161102)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2142.NASL
    descriptionFrom Red Hat Security Advisory 2016:2142 : An update for bind97 is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94496
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94496
    titleOracle Linux 5 : bind97 (ELSA-2016-2142)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0152.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix (CVE-2016-8864)
    last seen2020-06-01
    modified2020-06-02
    plugin id94497
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94497
    titleOracleVM 3.3 / 3.4 : bind (OVMSA-2016-0152)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3795.NASL
    descriptionIt was discovered that a maliciously crafted query can cause ISC
    last seen2020-06-01
    modified2020-06-02
    plugin id97399
    published2017-02-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97399
    titleDebian DSA-3795-1 : bind9 - security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-768.NASL
    descriptionA denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.
    last seen2020-06-01
    modified2020-06-02
    plugin id94974
    published2016-11-21
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94974
    titleAmazon Linux AMI : bind (ALAS-2016-768)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV91255.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DNAME answer in db.c or resolver.c. By sending a recursive response, a remote attacker could exploit this vulnerability to trigger an assertion failure. ISC BIND is vulnerable to a denial of service. By sending a specially crafted DNS packet with malformed options, a remote attacker could exploit this vulnerability to trigger an assertion failure. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_bind_advisory14.nasl (plugin id 102126).
    last seen2017-10-29
    modified2017-08-03
    plugin id95892
    published2016-12-16
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=95892
    titleAIX 7.1 TL 4 : bind (IV91255) (deprecated)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0033.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix CVE-2016-9147 (ISC change 4510) - Fix regression introduced by CVE-2016-8864 (ISC change 4530)
    last seen2020-06-01
    modified2020-06-02
    plugin id96590
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96590
    titleOracleVM 3.3 / 3.4 : bind (OVMSA-2017-0033)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0100.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix DNSKEY that encountered a CNAME (#1447869, ISC change 3391) - Fix CVE-2017-3136 (ISC change 4575) - Fix CVE-2017-3137 (ISC change 4578) - Fix and test caching CNAME before DNAME (ISC change 4558) - Fix CVE-2016-9147 (ISC change 4510) - Fix regression introduced by CVE-2016-8864 (ISC change 4530) - Restore SELinux contexts before named restart - Use /lib or /lib64 only if directory in chroot already exists - Tighten NSS library pattern, escape chroot mount path - Fix (CVE-2016-8864) - Do not change lib permissions in chroot (#1321239) - Support WKS records in chroot (#1297562) - Do not include patch backup in docs (fixes #1325081 patch) - Backported relevant parts of [RT #39567] (#1259923) - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283) - Fix multiple realms in nsupdate script like upstream (#1313286) - Fix multiple realm in nsupdate script (#1313286) - Use resolver-query-timeout high enough to recover all forwarders (#1325081)
    last seen2020-06-01
    modified2020-06-02
    plugin id100090
    published2017-05-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100090
    titleOracleVM 3.3 / 3.4 : bind (OVMSA-2017-0100)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-26.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-26 (BIND: Denial of Service) A defect in BIND&rsquo;s handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c. Impact : A remote attacker could send a specially crafted DNS request to the BIND resolver possibly resulting in a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96420
    published2017-01-12
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96420
    titleGLSA-201701-26 : BIND: Denial of Service
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2615.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94605
    published2016-11-07
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94605
    titleRHEL 7 : bind (RHSA-2016:2615)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2142.NASL
    descriptionAn update for bind97 is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94472
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94472
    titleCentOS 5 : bind97 (CESA-2016:2142)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-696.NASL
    descriptionTony Finch and Marco Davids reported an assertion failure in BIND, a DNS server implementation, which causes the server process to terminate. This denial of service vulnerability is related to a defect in the processing of responses with DNAME records from authoritative servers and primarily affects recursive resolvers. For Debian 7
    last seen2020-03-17
    modified2016-11-03
    plugin id94477
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94477
    titleDebian DLA-696-1 : bind9 security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3703.NASL
    descriptionTony Finch and Marco Davids reported an assertion failure in BIND, a DNS server implementation, which causes the server process to terminate. This denial-of-service vulnerability is related to a defect in the processing of responses with DNAME records from authoritative servers and primarily affects recursive resolvers.
    last seen2020-06-01
    modified2020-06-02
    plugin id94478
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94478
    titleDebian DSA-3703-1 : bind9 - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-E38196B52A.NASL
    descriptionSecurity fix for CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-14
    plugin id94749
    published2016-11-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94749
    titleFedora 24 : 32:bind (2016-e38196b52a)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-46137973BA.NASL
    descriptionSecurity fix for CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-21
    plugin id95000
    published2016-11-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95000
    titleFedora 25 : 32:bind (2016-46137973ba)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-D0C9BF9508.NASL
    descriptionSecurity fix for CVE-2017-3135 (unaffected), fixes regression made by CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-06
    plugin id97541
    published2017-03-06
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97541
    titleFedora 24 : bind99 (2017-d0c9bf9508)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2615.NASL
    descriptionFrom Red Hat Security Advisory 2016:2615 : An update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94727
    published2016-11-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94727
    titleOracle Linux 7 : bind (ELSA-2016-2615)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV91256.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DNAME answer in db.c or resolver.c. By sending a recursive response, a remote attacker could exploit this vulnerability to trigger an assertion failure. ISC BIND is vulnerable to a denial of service. By sending a specially crafted DNS packet with malformed options, a remote attacker could exploit this vulnerability to trigger an assertion failure. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_bind_advisory14.nasl (plugin id 102126).
    last seen2017-10-29
    modified2017-08-03
    plugin id96153
    published2016-12-28
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=96153
    titleAIX 7.2 TL 0 : bind (IV91256) (deprecated)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-308-02.NASL
    descriptionNew bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id94517
    published2016-11-04
    reporterThis script is Copyright (C) 2016-2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94517
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bind (SSA:2016-308-02)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2697-1.NASL
    descriptionThis update for bind fixes the following issues : - A defect in BIND
    last seen2020-06-01
    modified2020-06-02
    plugin id94505
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94505
    titleSUSE SLED12 / SLES12 Security Update : bind (SUSE-SU-2016:2697-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1079.NASL
    descriptionAccording to the version of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-05-01
    plugin id99839
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99839
    titleEulerOS 2.0 SP1 : bind (EulerOS-SA-2016-1079)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2141.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94502
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94502
    titleRHEL 5 / 6 : bind (RHSA-2016:2141)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2020-0021.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0021 for details.
    last seen2020-06-10
    modified2020-06-05
    plugin id137170
    published2020-06-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137170
    titleOracleVM 3.3 / 3.4 : bind (OVMSA-2020-0021)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV91257.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DNAME answer in db.c or resolver.c. By sending a recursive response, a remote attacker could exploit this vulnerability to trigger an assertion failure. ISC BIND is vulnerable to a denial of service. By sending a specially crafted DNS packet with malformed options, a remote attacker could exploit this vulnerability to trigger an assertion failure. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_bind_advisory14.nasl (plugin id 102126).
    last seen2017-10-29
    modified2017-08-03
    plugin id96154
    published2016-12-28
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=96154
    titleAIX 7.2 TL 1 : bind (IV91257) (deprecated)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-605FD98C32.NASL
    descriptionSecurity fix for CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-29
    plugin id95376
    published2016-11-29
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95376
    titleFedora 23 : 32:bind (2016-605fd98c32)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2615.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id95354
    published2016-11-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95354
    titleCentOS 7 : bind (CESA-2016:2615)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV91214.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DNAME answer in db.c or resolver.c. By sending a recursive response, a remote attacker could exploit this vulnerability to trigger an assertion failure. ISC BIND is vulnerable to a denial of service. By sending a specially crafted DNS packet with malformed options, a remote attacker could exploit this vulnerability to trigger an assertion failure. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_bind_advisory14.nasl (plugin id 102126).
    last seen2017-10-29
    modified2017-08-03
    plugin id95890
    published2016-12-16
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=95890
    titleAIX 7.1 TL 3 : bind (IV91214) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV91254.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DNAME answer in db.c or resolver.c. By sending a recursive response, a remote attacker could exploit this vulnerability to trigger an assertion failure. ISC BIND is vulnerable to a denial of service. By sending a specially crafted DNS packet with malformed options, a remote attacker could exploit this vulnerability to trigger an assertion failure. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_bind_advisory14.nasl (plugin id 102126).
    last seen2017-10-29
    modified2017-08-03
    plugin id95891
    published2016-12-16
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=95891
    titleAIX 6.1 TL 9 : bind (IV91254) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV91253.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DNAME answer in db.c or resolver.c. By sending a recursive response, a remote attacker could exploit this vulnerability to trigger an assertion failure. ISC BIND is vulnerable to a denial of service. By sending a specially crafted DNS packet with malformed options, a remote attacker could exploit this vulnerability to trigger an assertion failure. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_bind_advisory14.nasl (plugin id 102126).
    last seen2017-10-29
    modified2017-08-03
    plugin id96152
    published2016-12-28
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=96152
    titleAIX 5.3 TL 12 : bind (IV91253) (deprecated)
  • NASL familyDNS
    NASL idBIND9_CVE-2016-8864.NASL
    descriptionAccording to its self-reported version number, the instance of ISC BIND 9 running on the remote name server is affected by a denial of service vulnerability due to improper handling of a recursive response containing a DNAME record in the answer section. An unauthenticated, remote attacker can exploit this to cause an assertion failure and daemon exit. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id94577
    published2016-11-04
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94577
    titleISC BIND 9 Recursive Response DNAME Record Handling DoS
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-567A5591E4.NASL
    descriptionSecurity fix for CVE-2016-6170 ---- Security fix for CVE-2016-8864 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-21
    plugin id95003
    published2016-11-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95003
    titleFedora 25 : bind99 (2016-567a5591e4)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0066.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix CVE-2017-3136 (ISC change 4575) - Fix CVE-2017-3137 (ISC change 4578) - Fix and test caching CNAME before DNAME (ISC change 4558) - Fix CVE-2016-9147 (ISC change 4510) - Fix regression introduced by CVE-2016-8864 (ISC change 4530) - Restore SELinux contexts before named restart - Use /lib or /lib64 only if directory in chroot already exists - Tighten NSS library pattern, escape chroot mount path - Fix (CVE-2016-8864) - Do not change lib permissions in chroot (#1321239) - Support WKS records in chroot (#1297562) - Do not include patch backup in docs (fixes #1325081 patch) - Backported relevant parts of [RT #39567] (#1259923) - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283) - Fix multiple realms in nsupdate script like upstream (#1313286) - Fix multiple realm in nsupdate script (#1313286) - Use resolver-query-timeout high enough to recover all forwarders (#1325081) - Fix (CVE-2016-2848) - Fix infinite loop in start_lookup (#1306504) - Fix (CVE-2016-2776)
    last seen2020-06-01
    modified2020-06-02
    plugin id99569
    published2017-04-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99569
    titleOracleVM 3.3 / 3.4 : bind (OVMSA-2017-0066)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1583.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) * A denial of service flaw was found in the way BIND processed a response to an ANY query. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9131) * A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9147) * A denial of service flaw was found in the way BIND handled an unusually-formed DS record response. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9444) * A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) Red Hat would like to thank ISC for reporting these issues. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters of CVE-2016-8864. Bug Fix(es) : * ICANN is planning to perform a Root Zone DNSSEC Key Signing Key (KSK) rollover during October 2017. Maintaining an up-to-date KSK is essential for ensuring that validating DNS resolvers continue to function following the rollover. (BZ#1459648)
    last seen2020-06-01
    modified2020-06-02
    plugin id101100
    published2017-06-29
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101100
    titleRHEL 7 : bind (RHSA-2017:1583)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3119-1.NASL
    descriptionTony Finch and Marco Davids discovered that Bind incorrectly handled certain responses containing a DNAME answer. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94468
    published2016-11-02
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94468
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : bind9 vulnerability (USN-3119-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_0B8D01A4A0D211E69CA2D050996490D0.NASL
    descriptionISC reports : A defect in BIND
    last seen2020-06-01
    modified2020-06-02
    plugin id94491
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94491
    titleFreeBSD : BIND -- Remote Denial of Service vulnerability (0b8d01a4-a0d2-11e6-9ca2-d050996490d0)
  • NASL familyAIX Local Security Checks
    NASL idAIX_BIND_ADVISORY14.NASL
    descriptionThe version of bind installed on the remote AIX host is affected by the following vulnerabilities : - A denial of service vulnerability exists when handling malformed options sections. An unauthenticated, remote attacker can exploit this, via a specially crafted OPT resource record, to cause an assertion failure, resulting in a daemon exit. (CVE-2016-2848) - A denial of service vulnerability exists due to improper handling of a recursive response containing a DNAME record in the answer section. An unauthenticated, remote attacker can exploit this to cause an assertion failure and daemon exit. (CVE-2016-8864)
    last seen2020-06-01
    modified2020-06-02
    plugin id102126
    published2017-08-03
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102126
    titleAIX bind Advisory : bind_advisory14.asc (IV91214) (IV91253) (IV91254) (IV91255) (IV91256) (IV91257)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1273.NASL
    descriptionThis update for bind fixes the following issues : - A defect in BIND
    last seen2020-06-05
    modified2016-11-08
    plugin id94620
    published2016-11-08
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94620
    titleopenSUSE Security Update : bind (openSUSE-2016-1273)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161102_BIND_ON_SL5_X.NASL
    descriptionSecurity Fix(es) : - A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864)
    last seen2020-03-18
    modified2016-11-04
    plugin id94571
    published2016-11-04
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94571
    titleScientific Linux Security Update : bind on SL5.x, SL6.x i386/x86_64 (20161102)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2141.NASL
    descriptionFrom Red Hat Security Advisory 2016:2141 : An update for bind is now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94495
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94495
    titleOracle Linux 5 / 6 : bind (ELSA-2016-2141)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0153.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix (CVE-2016-8864)
    last seen2020-06-01
    modified2020-06-02
    plugin id94498
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94498
    titleOracleVM 3.2 : bind (OVMSA-2016-0153)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2141.NASL
    descriptionAn update for bind is now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es) : * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id94471
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94471
    titleCentOS 5 / 6 : bind (CESA-2016:2141)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1433.NASL
    descriptionAccording to the versions of the bind packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet.(CVE-2016-2776) - A denial of service flaw was found in the way BIND processed certain control channel input. A remote attacker able to send a malformed packet to the control channel could use this flaw to cause named to crash.(CVE-2016-1285) - A flaw was found in the way BIND performed DNSSEC validation. An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure.(CVE-2015-4620) - A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remote attacker could use this flaw to make named (functioning as an authoritative DNS server or a DNS resolver) exit unexpectedly with an assertion failure via a specially crafted DNS request packet.(CVE-2015-5477) - A denial of service flaw was found in the way BIND handled queries for NSEC3-signed zones. A remote attacker could use this flaw against an authoritative name server that served NCES3-signed zones by sending a specially crafted query, which, when processed, would cause named to crash.(CVE-2014-0591) - A denial of service flaw was found in the way BIND parsed certain malformed DNSSEC keys. A remote attacker could use this flaw to send a specially crafted DNS query (for example, a query requiring a response from a zone containing a deliberately malformed key) that would cause named functioning as a validating resolver to crash.(CVE-2015-5722) - It was found that the lightweight resolver protocol implementation in BIND could enter an infinite recursion and crash when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the
    last seen2020-06-01
    modified2020-06-02
    plugin id124936
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124936
    titleEulerOS Virtualization 3.0.1.0 : bind (EulerOS-SA-2019-1433)

Redhat

advisories
  • bugzilla
    id1389652
    titleCVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentbind-libs is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141001
          • commentbind-libs is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057002
        • AND
          • commentbind-chroot is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141003
          • commentbind-chroot is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057008
        • AND
          • commentbind-utils is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141005
          • commentbind-utils is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057014
        • AND
          • commentbind-sdb is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141007
          • commentbind-sdb is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057010
        • AND
          • commentcaching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141009
          • commentcaching-nameserver is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057004
        • AND
          • commentbind-devel is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141011
          • commentbind-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057012
        • AND
          • commentbind is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141013
          • commentbind is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057016
        • AND
          • commentbind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.11
            ovaloval:com.redhat.rhsa:tst:20162141015
          • commentbind-libbind-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057006
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentbind-sdb is earlier than 32:9.8.2-0.47.rc1.el6_8.3
            ovaloval:com.redhat.rhsa:tst:20162141018
          • commentbind-sdb is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651002
        • AND
          • commentbind-devel is earlier than 32:9.8.2-0.47.rc1.el6_8.3
            ovaloval:com.redhat.rhsa:tst:20162141020
          • commentbind-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651004
        • AND
          • commentbind-utils is earlier than 32:9.8.2-0.47.rc1.el6_8.3
            ovaloval:com.redhat.rhsa:tst:20162141022
          • commentbind-utils is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651012
        • AND
          • commentbind-chroot is earlier than 32:9.8.2-0.47.rc1.el6_8.3
            ovaloval:com.redhat.rhsa:tst:20162141024
          • commentbind-chroot is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651008
        • AND
          • commentbind-libs is earlier than 32:9.8.2-0.47.rc1.el6_8.3
            ovaloval:com.redhat.rhsa:tst:20162141026
          • commentbind-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651010
        • AND
          • commentbind is earlier than 32:9.8.2-0.47.rc1.el6_8.3
            ovaloval:com.redhat.rhsa:tst:20162141028
          • commentbind is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651006
    rhsa
    idRHSA-2016:2141
    released2016-11-02
    severityImportant
    titleRHSA-2016:2141: bind security update (Important)
  • bugzilla
    id1389652
    titleCVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentbind97-chroot is earlier than 32:9.7.0-21.P2.el5_11.9
            ovaloval:com.redhat.rhsa:tst:20162142001
          • commentbind97-chroot is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110845010
        • AND
          • commentbind97 is earlier than 32:9.7.0-21.P2.el5_11.9
            ovaloval:com.redhat.rhsa:tst:20162142003
          • commentbind97 is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110845002
        • AND
          • commentbind97-libs is earlier than 32:9.7.0-21.P2.el5_11.9
            ovaloval:com.redhat.rhsa:tst:20162142005
          • commentbind97-libs is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110845008
        • AND
          • commentbind97-devel is earlier than 32:9.7.0-21.P2.el5_11.9
            ovaloval:com.redhat.rhsa:tst:20162142007
          • commentbind97-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110845006
        • AND
          • commentbind97-utils is earlier than 32:9.7.0-21.P2.el5_11.9
            ovaloval:com.redhat.rhsa:tst:20162142009
          • commentbind97-utils is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110845004
    rhsa
    idRHSA-2016:2142
    released2016-11-02
    severityImportant
    titleRHSA-2016:2142: bind97 security update (Important)
  • bugzilla
    id1389652
    titleCVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentbind-sdb is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615001
          • commentbind-sdb is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651002
        • AND
          • commentbind-chroot is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615003
          • commentbind-chroot is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651008
        • AND
          • commentbind-pkcs11-libs is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615005
          • commentbind-pkcs11-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767006
        • AND
          • commentbind-devel is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615007
          • commentbind-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651004
        • AND
          • commentbind-pkcs11-devel is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615009
          • commentbind-pkcs11-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767004
        • AND
          • commentbind-pkcs11-utils is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615011
          • commentbind-pkcs11-utils is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767014
        • AND
          • commentbind is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615013
          • commentbind is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651006
        • AND
          • commentbind-sdb-chroot is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615015
          • commentbind-sdb-chroot is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767018
        • AND
          • commentbind-pkcs11 is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615017
          • commentbind-pkcs11 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767020
        • AND
          • commentbind-lite-devel is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615019
          • commentbind-lite-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767016
        • AND
          • commentbind-libs-lite is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615021
          • commentbind-libs-lite is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767024
        • AND
          • commentbind-libs is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615023
          • commentbind-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651010
        • AND
          • commentbind-utils is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615025
          • commentbind-utils is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20170651012
        • AND
          • commentbind-license is earlier than 32:9.9.4-38.el7_3
            ovaloval:com.redhat.rhsa:tst:20162615027
          • commentbind-license is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171767022
    rhsa
    idRHSA-2016:2615
    released2016-11-03
    severityImportant
    titleRHSA-2016:2615: bind security update (Important)
  • rhsa
    idRHSA-2016:2871
  • rhsa
    idRHSA-2017:1583
rpms
  • bind-30:9.3.6-25.P1.el5_11.11
  • bind-32:9.8.2-0.47.rc1.el6_8.3
  • bind-chroot-30:9.3.6-25.P1.el5_11.11
  • bind-chroot-32:9.8.2-0.47.rc1.el6_8.3
  • bind-debuginfo-30:9.3.6-25.P1.el5_11.11
  • bind-debuginfo-32:9.8.2-0.47.rc1.el6_8.3
  • bind-devel-30:9.3.6-25.P1.el5_11.11
  • bind-devel-32:9.8.2-0.47.rc1.el6_8.3
  • bind-libbind-devel-30:9.3.6-25.P1.el5_11.11
  • bind-libs-30:9.3.6-25.P1.el5_11.11
  • bind-libs-32:9.8.2-0.47.rc1.el6_8.3
  • bind-sdb-30:9.3.6-25.P1.el5_11.11
  • bind-sdb-32:9.8.2-0.47.rc1.el6_8.3
  • bind-utils-30:9.3.6-25.P1.el5_11.11
  • bind-utils-32:9.8.2-0.47.rc1.el6_8.3
  • caching-nameserver-30:9.3.6-25.P1.el5_11.11
  • bind97-32:9.7.0-21.P2.el5_11.9
  • bind97-chroot-32:9.7.0-21.P2.el5_11.9
  • bind97-debuginfo-32:9.7.0-21.P2.el5_11.9
  • bind97-devel-32:9.7.0-21.P2.el5_11.9
  • bind97-libs-32:9.7.0-21.P2.el5_11.9
  • bind97-utils-32:9.7.0-21.P2.el5_11.9
  • bind-32:9.9.4-38.el7_3
  • bind-chroot-32:9.9.4-38.el7_3
  • bind-debuginfo-32:9.9.4-38.el7_3
  • bind-devel-32:9.9.4-38.el7_3
  • bind-libs-32:9.9.4-38.el7_3
  • bind-libs-lite-32:9.9.4-38.el7_3
  • bind-license-32:9.9.4-38.el7_3
  • bind-lite-devel-32:9.9.4-38.el7_3
  • bind-pkcs11-32:9.9.4-38.el7_3
  • bind-pkcs11-devel-32:9.9.4-38.el7_3
  • bind-pkcs11-libs-32:9.9.4-38.el7_3
  • bind-pkcs11-utils-32:9.9.4-38.el7_3
  • bind-sdb-32:9.9.4-38.el7_3
  • bind-sdb-chroot-32:9.9.4-38.el7_3
  • bind-utils-32:9.9.4-38.el7_3
  • bind-32:9.7.3-8.P3.el6_2.6
  • bind-32:9.8.2-0.17.rc1.el6_4.10
  • bind-32:9.8.2-0.23.rc1.el6_5.5
  • bind-32:9.8.2-0.30.rc1.el6_6.7
  • bind-32:9.8.2-0.37.rc1.el6_7.9
  • bind-chroot-32:9.7.3-8.P3.el6_2.6
  • bind-chroot-32:9.8.2-0.17.rc1.el6_4.10
  • bind-chroot-32:9.8.2-0.23.rc1.el6_5.5
  • bind-chroot-32:9.8.2-0.30.rc1.el6_6.7
  • bind-chroot-32:9.8.2-0.37.rc1.el6_7.9
  • bind-debuginfo-32:9.7.3-8.P3.el6_2.6
  • bind-debuginfo-32:9.8.2-0.17.rc1.el6_4.10
  • bind-debuginfo-32:9.8.2-0.23.rc1.el6_5.5
  • bind-debuginfo-32:9.8.2-0.30.rc1.el6_6.7
  • bind-debuginfo-32:9.8.2-0.37.rc1.el6_7.9
  • bind-devel-32:9.7.3-8.P3.el6_2.6
  • bind-devel-32:9.8.2-0.17.rc1.el6_4.10
  • bind-devel-32:9.8.2-0.23.rc1.el6_5.5
  • bind-devel-32:9.8.2-0.30.rc1.el6_6.7
  • bind-devel-32:9.8.2-0.37.rc1.el6_7.9
  • bind-libs-32:9.7.3-8.P3.el6_2.6
  • bind-libs-32:9.8.2-0.17.rc1.el6_4.10
  • bind-libs-32:9.8.2-0.23.rc1.el6_5.5
  • bind-libs-32:9.8.2-0.30.rc1.el6_6.7
  • bind-libs-32:9.8.2-0.37.rc1.el6_7.9
  • bind-sdb-32:9.7.3-8.P3.el6_2.6
  • bind-sdb-32:9.8.2-0.17.rc1.el6_4.10
  • bind-sdb-32:9.8.2-0.23.rc1.el6_5.5
  • bind-sdb-32:9.8.2-0.30.rc1.el6_6.7
  • bind-sdb-32:9.8.2-0.37.rc1.el6_7.9
  • bind-utils-32:9.7.3-8.P3.el6_2.6
  • bind-utils-32:9.8.2-0.17.rc1.el6_4.10
  • bind-utils-32:9.8.2-0.23.rc1.el6_5.5
  • bind-utils-32:9.8.2-0.30.rc1.el6_6.7
  • bind-utils-32:9.8.2-0.37.rc1.el6_7.9
  • bind-32:9.9.4-29.el7_2.6
  • bind-chroot-32:9.9.4-29.el7_2.6
  • bind-debuginfo-32:9.9.4-29.el7_2.6
  • bind-devel-32:9.9.4-29.el7_2.6
  • bind-libs-32:9.9.4-29.el7_2.6
  • bind-libs-lite-32:9.9.4-29.el7_2.6
  • bind-license-32:9.9.4-29.el7_2.6
  • bind-lite-devel-32:9.9.4-29.el7_2.6
  • bind-pkcs11-32:9.9.4-29.el7_2.6
  • bind-pkcs11-devel-32:9.9.4-29.el7_2.6
  • bind-pkcs11-libs-32:9.9.4-29.el7_2.6
  • bind-pkcs11-utils-32:9.9.4-29.el7_2.6
  • bind-sdb-32:9.9.4-29.el7_2.6
  • bind-sdb-chroot-32:9.9.4-29.el7_2.6
  • bind-utils-32:9.9.4-29.el7_2.6

References