BIND9 취약점 업데이트 안내

Today ISC announced CVE-2017-3140, CVE-2017-3141, and an operational

notification regarding LMDB in BIND 9.11

CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10,

9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with

Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules.

We are aware that some subscribers to this list maintain BIND packages

which have diverged from the official ISC code branches.  While we

cannot always offer specific guidance, in the case of CVE-2017-3140

maintainers who have selectively backported BIND changes are advised to

check whether they have included change #4377, as that change has been

determined to be a cause of CVE-2017-3140.

CVE-2017-3141 is a Windows privilege escalation vector affecting

9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10,

9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1.  The

BIND Windows installer failed to properly quote the service paths,

possibly allowing a local user to achieve privilege escalation, if

allowed by file system permissions.

BIND 9.11.0 and 9.11.1 carries a number of integration problems with

LMDB (liblmdb) that will be addressed in BIND 9.11.2, planned for

release in July/August 2017.

Our full CVE text can be found at:

  https://kb.isc.org/article/AA-01495/74/CVE-2017-3140

  https://kb.isc.org/article/AA-01496/74/CVE-2017-3141

The full operational notification can be found at:

  https://kb.isc.org/article/AA-01497/169/LMDB-integration-problems.html

New releases of BIND, including security fixes for these

vulnerabilities, are available at: http://www.isc.org/downloads/

Release notes can be obtained using the following links:

  ftp://ftp.isc.org/isc/bind9/9.9.10-P1/

  ftp://ftp.isc.org/isc/bind9/9.10.5-P1/

  ftp://ftp.isc.org/isc/bind9/9.11.1-P1/