[Pkg-dns-devel] Bug#830810: bind9: CVE-2016-6170: Improper restriction of zone size limit
Salvatore Bonaccorso
carnil at debian.org
Sun Dec 10 19:50:27 UTC 2017
Hi Bernhard,
On Sun, Dec 10, 2017 at 08:31:16PM +0100, Bernhard Schmidt wrote:
> Version: 1:9.10.6+dfsg-1
>
> On Mon, Jul 11, 2016 at 09:01:31PM +0200, Salvatore Bonaccorso wrote:
>
> Hi,
>
> > the following vulnerability was published for bind9.
> >
> > CVE-2016-6170[0]:
> > | ISC BIND through 9.10.4-P1 allows primary DNS servers to cause a
> > | denial of service (secondary DNS server crash) via a large AXFR
> > | response, and possibly allows IXFR servers to cause a denial of
> > | service (IXFR client crash) via a large IXFR response and allows
> > | remote authenticated users to cause a denial of service (primary DNS
> > | server crash) via a large UPDATE message.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-6170
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1353563
> >
> > Please adjust the affected versions in the BTS as needed.
>
> The upstream fix has landed in Debian in 1:9.10.6+dfsg-1 . It is an
> additional configuration knob to limit the maximum size of the inbound
> zone transfer.
>
> This is probably not important enough to backport. Looks like the
> security team thinks the same?
> https://security-tracker.debian.org/tracker/CVE-2016-6170
Yes exactly, thanks for ping-pointing the "fixed version" for
unstable, I have updated the security-tracker information.
Regards,
Salvatore
More information about the pkg-dns-devel
mailing list