CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

Michael McNally mcnally at isc.org
Sat Aug 1 20:59:49 UTC 2015


On 28 July 2015, ISC publicly disclosed CVE-2015-5477
("An error in handling TKEY queries can cause named to exit with
a REQUIRE assertion failure.")

We would like to inform all readers of this list that the official
copy of this CVE (https://kb.isc.org/article/AA-01272) has been
revised to reflect new information received.

Specifically, after learning that a party with no connection
to ISC had published proof-of-concept code alleged to exercise
the denial-of-service vector disclosed in the CVE, we have updated
the "Active exploits" section of the advisory, changing from:

  Active exploits:

     None known.

to:

  Active exploits:

     We have been informed that proof-of-concept code for an
     exploit has been published by a third party to a public
     source repository.

As this development significantly increases the potential risk that
this vulnerability will be exploited by those with a mind to do so,
please take steps to patch or upgrade to a secure version as soon as
possible.


More information about the bind-announce mailing list