ALAS-2015-631


Amazon Linux AMI Security Advisory: ALAS-2015-631
Advisory Release Date: 2015-12-16 20:25 Pacific
Severity: Critical

Issue Overview:

An error in the parsing of incoming responses allows some records with an incorrect class to be be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries. (CVE-2015-8000 )

CVE-2015-8461 was also issued today for bind, but the Amazon Linux AMI's version of bind is not impacted by that CVE.


Affected Packages:

bind


Issue Correction:
Run yum update bind to update your system.

New Packages:
i686:
    bind-utils-9.8.2-0.37.rc1.42.amzn1.i686
    bind-debuginfo-9.8.2-0.37.rc1.42.amzn1.i686
    bind-sdb-9.8.2-0.37.rc1.42.amzn1.i686
    bind-9.8.2-0.37.rc1.42.amzn1.i686
    bind-devel-9.8.2-0.37.rc1.42.amzn1.i686
    bind-libs-9.8.2-0.37.rc1.42.amzn1.i686
    bind-chroot-9.8.2-0.37.rc1.42.amzn1.i686

src:
    bind-9.8.2-0.37.rc1.42.amzn1.src

x86_64:
    bind-utils-9.8.2-0.37.rc1.42.amzn1.x86_64
    bind-sdb-9.8.2-0.37.rc1.42.amzn1.x86_64
    bind-debuginfo-9.8.2-0.37.rc1.42.amzn1.x86_64
    bind-libs-9.8.2-0.37.rc1.42.amzn1.x86_64
    bind-chroot-9.8.2-0.37.rc1.42.amzn1.x86_64
    bind-9.8.2-0.37.rc1.42.amzn1.x86_64
    bind-devel-9.8.2-0.37.rc1.42.amzn1.x86_64