Patch for CVE-2015-5477

Hi,

I just found out that all my fully-updated 13.1 servers are vulnerable to CVE-2015-5477 (PoC/testcase on https://www.exploit-db.com/exploits/37721) and the main repos don’t have a fix for it. :frowning:
In the meantime I installed bind (9.10.2-P3) from the OBS network repo and it’s working for now, so the packages seem to be working :slight_smile:
A fix for 11.4 is already done: https://bugzilla.suse.com/show_bug.cgi?id=939567#c21
Is this an oversight on my part (new 13.1 evergreen repo with fix in place?) or is there a specific reason a patch isn’t out yet?
I couldn’t find a reference to CVE-2015-5477 in the mailing lists for 13.1.

Hi
I would suggest you re-open the bug and ask why an update for 13.1 is not available… :wink:

Will come soon to opensuse 13.2 and 13.1, its in update:test Repo:

rpm -qp --changelog http://download.opensuse.org/update/13.2-test/x86_64/bind-9.9.6P1-2.7.1.x86_64.rpm
warning: http://download.opensuse.org/update/13.2-test/x86_64/bind-9.9.6P1-2.7.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
* Mo Jul 27 2015 max@suse.com
- Fix DoS against authoritative and recursive servers.
  bnc#939567, CVE-2015-5477
rpm -qp --changelog http://download.opensuse.org/update/13.1-test/x86_64/bind-9.9.4P2-2.14.1.x86_64.rpm | grep -iA3 'Mo Jul 27 2015'
warning: http://download.opensuse.org/update/13.1-test/x86_64/bind-9.9.4P2-2.14.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
* Mo Jul 27 2015 max@suse.com
- Fix DoS against authoritative and recursive servers.
  bnc#939567, CVE-2015-5477

On 2015-08-02 19:16, Vogtinator wrote:
>
> Hi,
>
> I just found out that all my fully-updated 13.1 servers are vulnerable
> to CVE-2015-5477 (PoC/testcase on
> https://www.exploit-db.com/exploits/37721) and the main repos don’t have
> a fix for it. :frowning:
> In the meantime I installed bind (9.10.2-P3) from the OBS network repo
> and it’s working for now, so the packages seem to be working :slight_smile:
> A fix for 11.4 is already done:
> https://bugzilla.suse.com/show_bug.cgi?id=939567#c21
> Is this an oversight on my part (new 13.1 evergreen repo with fix in
> place?) or is there a specific reason a patch isn’t out yet?
> I couldn’t find a reference to CVE-2015-5477 in the mailing lists for
> 13.1.

The announcements for that go into the announcements mail list (I have
seen several).

And questions like yours are better asked in the security mail list,
because it is read by the people that create those patches. :slight_smile:

Ah, a comment: 13.1 is not yet evergreen. It will be.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Ah, great! So I guess it’s under development and will be available fairly soon.

And questions like yours are better asked in the security mail list,
because it is read by the people that create those patches. :slight_smile:

That would’ve been the next step :wink:

Ah, a comment: 13.1 is not yet evergreen. It will be.

I saw that on the ML as well, but I figured that it’s getting close to the switch.

On 2015-08-02 20:36, Vogtinator wrote:

>> Ah, a comment: 13.1 is not yet evergreen. It will be.
> I saw that on the ML as well, but I figured that it’s getting close to
> the switch.

Nope.

It should happen probably two months after the release of Leap 42.1. And
that release should be about November. So that would make about January
2016.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Reading the advisory
https://kb.isc.org/article/AA-01272/0/CVE-2015-5477%3A-An-error-in-handling-TKEY-queries-can-cause-named-to-exit-with-a-REQUIRE-assertion-failure.html

  1. The advisory was published only a few days ago, July 28 2015.
    Most people won’t learn of this vulnerability before this date.

  2. Proof of concept is publicly available but not yet known to be used in an active attack.

  3. The consequence of this vulnerability (should you be attacked) is DoS. Not anything more, although in theory certain DoS could be used in a more complex attack involving DNS Poisoning with potentially dire consequences.

The question you might want to ask is how this might impact your situation specifically.
Can you wait for a patch? As you can imagine, a Google search returns many hits in many bugzillas with conversations about addressing, so a patch will probably be created very soon and will be distributed everywhere including through SUSE/openSUSE fairly soon.

If you can’t wait, then you do have the option to download and compile your own BIND directly from public source as described in the advisory, which apparently is patched.

I’m not sure why this SUSE advisory says Evergreen 11.4 is being patched (and numerous SUSE) but nothing else openSUSE is mentioned. But as Saurland posted, patches to everybody is imminent.
https://www.suse.com/security/cve/CVE-2015-5477.html

TSU

On 2015-08-03 02:26, tsu2 wrote:

> I’m not sure why this SUSE advisory says Evergreen 11.4 is being patched
> (and numerous SUSE) but nothing else openSUSE is mentioned.

Because 11.4-EG derives whatever patches it can from SLES.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Am 03.08.2015 um 02:48 schrieb Carlos E. R.:
> On 2015-08-03 02:26, tsu2 wrote:
>
>> I’m not sure why this SUSE advisory says Evergreen 11.4 is being patched
>> (and numerous SUSE) but nothing else openSUSE is mentioned.
>
> Because 11.4-EG derives whatever patches it can from SLES.

Not completely true. As sources for SLES11 updates are not publically
available we do not really profit from those.

So it has nothing to do with SLES; it’s just because I’m running BIND
servers on 11.4.
The reason why 11.4 was provided faster is basically because I skipped
the normal waiting time with the patch being the update test repo…

Wolfgang