[dns-operations] not CVE 2015-8000, but CVE 2015-8461 actively exploited yesterday

Nick Urbanik nick.urbanik at optusnet.com.au
Thu Dec 17 05:22:20 UTC 2015

On 17/12/15 10:50 +1100, Nick Urbanik wrote:
>I'd like to report that we have had CVE 2015-8000 actively exploited

I think this is *not* 2015-8000, but is actually CVE 2015-8461, which
Red Hat, in https://bugzilla.redhat.com/show_bug.cgi?id=1291186, say
does not affect any Red Hat packages.  However, it appears that, if
this *is* CVE 2015-8461, they are mistaken.

Can anyone confirm whether this log entry matches the symptom of CVE
2015-8461?  The CVE description could refer to yet another assertion
failure in resolver.c in BIND.  We have 11 such failures so far.

>about 25 hours ago, with entries in logs like this:
>06:29:47.521 general: resolver.c:3123: REQUIRE((((fctx->finds).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
>06:29:47.521 general: exiting (due to assertion failure)
>These are RHEL 6.  Updating to bind-*9.8.2-0.37.rc1.el6_7.5.x86_64.rpm
>seems to address the exploit.
>BIND really needs to have a better strategy to dealing with unexpected
>input other than by dying.  Perhaps the assumption is that everyone is
>using some kind of script that checks it's running, and if not,
>restarts it.  If that is the case, that should be explicitly stated,
>and made policy for packagers, such as Red Hat.
Nick Urbanik http://nicku.org 808-71011 nick.urbanik at optusnet.com.au
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24  ID: BB9D2C24
I disclaim, therefore I am.

More information about the dns-operations mailing list