CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
Michael McNally
mcnally at isc.org
Sat Aug 1 20:59:49 UTC 2015
On 28 July 2015, ISC publicly disclosed CVE-2015-5477
("An error in handling TKEY queries can cause named to exit with
a REQUIRE assertion failure.")
We would like to inform all readers of this list that the official
copy of this CVE (https://kb.isc.org/article/AA-01272) has been
revised to reflect new information received.
Specifically, after learning that a party with no connection
to ISC had published proof-of-concept code alleged to exercise
the denial-of-service vector disclosed in the CVE, we have updated
the "Active exploits" section of the advisory, changing from:
Active exploits:
None known.
to:
Active exploits:
We have been informed that proof-of-concept code for an
exploit has been published by a third party to a public
source repository.
As this development significantly increases the potential risk that
this vulnerability will be exploited by those with a mind to do so,
please take steps to patch or upgrade to a secure version as soon as
possible.
More information about the bind-users
mailing list