Today ISC announced CVE-2017-3140, CVE-2017-3141, and an operational
notification regarding LMDB in BIND 9.11
CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10,
9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with
Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules.
We are aware that some subscribers to this list maintain BIND packages
which have diverged from the official ISC code branches. While we
cannot always offer specific guidance, in the case of CVE-2017-3140
maintainers who have selectively backported BIND changes are advised to
check whether they have included change #4377, as that change has been
determined to be a cause of CVE-2017-3140.
CVE-2017-3141 is a Windows privilege escalation vector affecting
9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10,
9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1. The
BIND Windows installer failed to properly quote the service paths,
possibly allowing a local user to achieve privilege escalation, if
allowed by file system permissions.
BIND 9.11.0 and 9.11.1 carries a number of integration problems with
LMDB (liblmdb) that will be addressed in BIND 9.11.2, planned for
release in July/August 2017.
Our full CVE text can be found at:
https://kb.isc.org/article/AA-01495/74/CVE-2017-3140
https://kb.isc.org/article/AA-01496/74/CVE-2017-3141
The full operational notification can be found at:
https://kb.isc.org/article/AA-01497/169/LMDB-integration-problems.html
New releases of BIND, including security fixes for these
vulnerabilities, are available at: http://www.isc.org/downloads/
Release notes can be obtained using the following links:
ftp://ftp.isc.org/isc/bind9/9.9.10-P1/
ftp://ftp.isc.org/isc/bind9/9.10.5-P1/
ftp://ftp.isc.org/isc/bind9/9.11.1-P1/
'취약점 정보2' 카테고리의 다른 글
Chrome Releases (0) | 2017.06.16 |
---|---|
M2Soft ActiveX 보안 업데이트 권고 (0) | 2017.06.16 |
Adobe 제품군 보안 업데이트 권고 (0) | 2017.06.15 |
우분투 TLS 원격 리모트 취약점 발견 업데이트 안내 (0) | 2017.06.14 |
nmap 7.50 release 소식 (0) | 2017.06.14 |