[dns-operations] not CVE 2015-8000, but CVE 2015-8461 actively exploited yesterday

Mukund Sivaraman muks at isc.org
Thu Dec 17 06:12:06 UTC 2015


Hi Nick

On Thu, Dec 17, 2015 at 04:22:20PM +1100, Nick Urbanik wrote:
> 
> On 17/12/15 10:50 +1100, Nick Urbanik wrote:
> >I'd like to report that we have had CVE 2015-8000 actively exploited
> 
> I think this is *not* 2015-8000, but is actually CVE 2015-8461, which
> Red Hat, in https://bugzilla.redhat.com/show_bug.cgi?id=1291186, say
> does not affect any Red Hat packages.  However, it appears that, if
> this *is* CVE 2015-8461, they are mistaken.

There's a chance you won't even find a CVE for some issues.

BIND 9.8 is obsolete. It is not supported by ISC. The package you are
using may be supported by Red Hat, but they likely only backport
security bugfixes that we announce in our *current* releases.

So if there was a bugfix during the 9.9 development cycle that
inadverently fixed a crash but was not noted as such, the security issue
isn't present in 9.9, and until Red Hat notices it as a security issue
they are unlikely to have fixed it in their 9.8 package.

We have received complaints of such issues, and have asked Red Hat to
ship current BIND versions. Such bug reports sent to us, though much
appreciated, waste developer time as we investigate the bug (because the
backtrace looks new) and see that it has already been addressed in the
current releases. It also makes BIND look poorly to the user, despite
the problem having been addressed by BIND developers.

Using a currently supported (by ISC) version of BIND is
recommended. Today look for the latest in 9.9.x and 9.10.x series.
Please don't use 9.8.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151217/66df4524/attachment.sig>


More information about the dns-operations mailing list