[dns-operations] not CVE 2015-8000, but CVE 2015-8461 actively exploited yesterday

John W. O'Brien obrienjw at upenn.edu
Thu Dec 17 12:54:13 UTC 2015


On 12/17/15 12:22 AM, Nick Urbanik wrote:
[...]
> Can anyone confirm whether this log entry matches the symptom of CVE
> 2015-8461?  The CVE description could refer to yet another assertion
> failure in resolver.c in BIND.  We have 11 such failures so far.

For what it's worth, the assertion reported in CVE-2015-8461 was:

    resolver.c:1784: INSIST(fctx->references > 1)

This is in the main line 9.9.8 tag near the end of the fctx_query()
function.

So, no, it does not match the symptom, but as Mukund pointed out in a
separate reply:
> Such bug reports sent to us, though much appreciated, waste developer
> time as we investigate the bug (because the backtrace looks new) and
> see that it has already been addressed in the current releases.

>> about 25 hours ago, with entries in logs like this:
>> 06:29:47.521 general: resolver.c:3123: REQUIRE((((fctx->finds).head ==
>> ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
>> 06:29:47.521 general: exiting (due to assertion failure)
>>
>> These are RHEL 6.  Updating to bind-*9.8.2-0.37.rc1.el6_7.5.x86_64.rpm
>> seems to address the exploit.

Regards,

-- 
John W. O'Brien
Senior Network Engineer
Information Systems and Computing
University of Pennsylvania
obrienjw at upenn.edu 215-898-9818
OpenPGP key ID: 0x155016CB


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151217/f3acc5ab/attachment.sig>


More information about the dns-operations mailing list