I just found out that all my fully-updated 13.1 servers are vulnerable to CVE-2015-5477 (PoC/testcase on https://www.exploit-db.com/exploits/37721) and the main repos don’t have a fix for it.
In the meantime I installed bind (9.10.2-P3) from the OBS network repo and it’s working for now, so the packages seem to be working
A fix for 11.4 is already done: https://bugzilla.suse.com/show_bug.cgi?id=939567#c21
Is this an oversight on my part (new 13.1 evergreen repo with fix in place?) or is there a specific reason a patch isn’t out yet?
I couldn’t find a reference to CVE-2015-5477 in the mailing lists for 13.1.
On 2015-08-02 19:16, Vogtinator wrote:
>
> Hi,
>
> I just found out that all my fully-updated 13.1 servers are vulnerable
> to CVE-2015-5477 (PoC/testcase on
> https://www.exploit-db.com/exploits/37721) and the main repos don’t have
> a fix for it.
> In the meantime I installed bind (9.10.2-P3) from the OBS network repo
> and it’s working for now, so the packages seem to be working
> A fix for 11.4 is already done:
> https://bugzilla.suse.com/show_bug.cgi?id=939567#c21
> Is this an oversight on my part (new 13.1 evergreen repo with fix in
> place?) or is there a specific reason a patch isn’t out yet?
> I couldn’t find a reference to CVE-2015-5477 in the mailing lists for
> 13.1.
The announcements for that go into the announcements mail list (I have
seen several).
And questions like yours are better asked in the security mail list,
because it is read by the people that create those patches.
Ah, a comment: 13.1 is not yet evergreen. It will be.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
The advisory was published only a few days ago, July 28 2015.
Most people won’t learn of this vulnerability before this date.
Proof of concept is publicly available but not yet known to be used in an active attack.
The consequence of this vulnerability (should you be attacked) is DoS. Not anything more, although in theory certain DoS could be used in a more complex attack involving DNS Poisoning with potentially dire consequences.
The question you might want to ask is how this might impact your situation specifically.
Can you wait for a patch? As you can imagine, a Google search returns many hits in many bugzillas with conversations about addressing, so a patch will probably be created very soon and will be distributed everywhere including through SUSE/openSUSE fairly soon.
If you can’t wait, then you do have the option to download and compile your own BIND directly from public source as described in the advisory, which apparently is patched.
I’m not sure why this SUSE advisory says Evergreen 11.4 is being patched (and numerous SUSE) but nothing else openSUSE is mentioned. But as Saurland posted, patches to everybody is imminent. https://www.suse.com/security/cve/CVE-2015-5477.html
Am 03.08.2015 um 02:48 schrieb Carlos E. R.:
> On 2015-08-03 02:26, tsu2 wrote:
>
>> I’m not sure why this SUSE advisory says Evergreen 11.4 is being patched
>> (and numerous SUSE) but nothing else openSUSE is mentioned.
>
> Because 11.4-EG derives whatever patches it can from SLES.
Not completely true. As sources for SLES11 updates are not publically
available we do not really profit from those.
So it has nothing to do with SLES; it’s just because I’m running BIND
servers on 11.4.
The reason why 11.4 was provided faster is basically because I skipped
the normal waiting time with the patch being the update test repo…