Rapid7 Vulnerability & Exploit Database

RHSA-2016:0078: bind security update

Back to Search

RHSA-2016:0078: bind security update



The Berkeley Internet Name Domain (BIND) is an implementation of the DomainName System (DNS) protocols. BIND includes a DNS server (named); a resolverlibrary (routines for applications to use when interfacing with DNS); andtools for verifying that the DNS server is operating correctly.A denial of service flaw was found in the way BIND followed DNSdelegations. A remote attacker could use a specially crafted zonecontaining a large number of referrals which, when looked up and processed,would cause named to use excessive amounts of memory or crash.(CVE-2014-8500)A flaw was found in the way BIND handled requests for TKEY DNS resourcerecords. A remote attacker could use this flaw to make named (functioningas an authoritative DNS server or a DNS resolver) exit unexpectedly with anassertion failure via a specially crafted DNS request packet.(CVE-2015-5477)A denial of service flaw was found in the way BIND parsed certain malformedDNSSEC keys. A remote attacker could use this flaw to send a speciallycrafted DNS query (for example, a query requiring a response from a zonecontaining a deliberately malformed key) that would cause named functioningas a validating resolver to crash. (CVE-2015-5722)A denial of service flaw was found in the way BIND processed certainrecords with malformed class attributes. A remote attacker could use thisflaw to send a query to request a cached record with a malformed classattribute that would cause named functioning as an authoritative orrecursive server to crash. (CVE-2015-8000)Note: This issue affects authoritative servers as well as recursiveservers, however authoritative servers are at limited risk if they performauthentication when making recursive queries to resolve addresses forservers listed in NS RRSETs.Red Hat would like to thank ISC for reporting the CVE-2015-5477,CVE-2015-5722, and CVE-2015-8000 issues. Upstream acknowledges JonathanFoote as the original reporter of CVE-2015-5477, and Hanno Böck as theoriginal reporter of CVE-2015-5722.All bind users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdate, the BIND daemon (named) will be restarted automatically.


  • redhat-upgrade-bind
  • redhat-upgrade-bind-chroot
  • redhat-upgrade-bind-debuginfo
  • redhat-upgrade-bind-devel
  • redhat-upgrade-bind-libs
  • redhat-upgrade-bind-sdb
  • redhat-upgrade-bind-utils

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center