{"id": "FEDORA:88872611CFAD", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 31 Update: dnsperf-2.3.2-2.fc31", "description": "This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf(1) and resperf(1) man pages. ", "published": "2019-11-29T00:55:12", "modified": "2019-11-29T00:55:12", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2019-6477"], "lastseen": "2020-12-21T08:17:55", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-6477"]}, {"type": "f5", "idList": ["F5:K15840535"]}, {"type": "symantec", "idList": ["SMNTC-110941"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877077", "OPENVAS:1361412562310844246", "OPENVAS:1361412562310877268", "OPENVAS:1361412562310877208", "OPENVAS:1361412562310877087", "OPENVAS:1361412562310877129", "OPENVAS:1361412562311220201141", "OPENVAS:1361412562310877085", "OPENVAS:1361412562310143162", "OPENVAS:1361412562310143161"]}, {"type": "redhat", "idList": ["RHSA-2020:1277", "RHSA-2020:1845", "RHSA-2020:1061"]}, {"type": "fedora", "idList": ["FEDORA:C242B627C924", "FEDORA:D649C611A7FD", "FEDORA:5520F627F513", "FEDORA:BF4FB6291CB6", "FEDORA:5126B611CF9B", "FEDORA:717EB6291CAC"]}, {"type": "nessus", "idList": ["SLACKWARE_SSA_2019-324-01.NASL", "FEDORA_2019-C703D2304A.NASL", "UBUNTU_USN-4197-1.NASL", "BIND9_9156.NASL", "EULEROS_SA-2020-1355.NASL", "SL_20200407_BIND_ON_SL7_X.NASL", "F5_BIGIP_SOL15840535.NASL", "EULEROS_SA-2020-1141.NASL", "FEDORA_2019-73A8737068.NASL", "REDHAT-RHSA-2020-1845.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1061", "ELSA-2020-1845"]}, {"type": "ubuntu", "idList": ["USN-4197-1"]}, {"type": "cisa", "idList": ["CISA:DAFCE21DF0563670DD66521828397307"]}, {"type": "slackware", "idList": ["SSA-2019-324-01"]}, {"type": "centos", "idList": ["CESA-2020:1061"]}, {"type": "amazon", "idList": ["ALAS2-2020-1441"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4689-1:B775F"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1699-1", "OPENSUSE-SU-2020:1701-1"]}], "modified": "2020-12-21T08:17:55", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-12-21T08:17:55", "rev": 2}, "vulnersScore": 6.8}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "31", "arch": "any", "packageName": "dnsperf", "packageVersion": "2.3.2", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"cve": [{"lastseen": "2020-12-09T21:41:55", "description": "With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-26T16:15:00", "title": "CVE-2019-6477", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6477"], "modified": "2020-10-20T12:15:00", "cpe": ["cpe:/a:isc:bind:9.15.5", "cpe:/a:isc:bind:9.11.12", "cpe:/o:fedoraproject:fedora:30", "cpe:/a:isc:bind:9.12.4", "cpe:/a:isc:bind:9.11.5", "cpe:/a:isc:bind:9.11.6", "cpe:/a:isc:bind:9.14.7", "cpe:/o:fedoraproject:fedora:31"], "id": "CVE-2019-6477", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6477", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:isc:bind:9.12.4:p1:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.11.5:s6:*:*:supported_preview:*:*:*", "cpe:2.3:a:isc:bind:9.14.7:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.11.6:p1:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.11.12:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.15.5:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.12.4:p2:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.11.12:s1:*:*:supported_preview:*:*:*", "cpe:2.3:a:isc:bind:9.11.6:rc1:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:39:40", "bulletinFamily": "software", "cvelist": ["CVE-2019-6477"], "description": "\nF5 Product Development has assigned ID 852445 (BIG-IP) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) | 15.x | 15.0.1 - 15.1.0 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>) | BIND \n14.x | 14.1.1 - 14.1.2 | None \n13.x | 13.1.2 - 13.1.3 | None \n12.x | 12.1.5 | 12.1.5.1 \n11.x | 11.6.5 \n11.5.10 | None \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 7.x | None | Not applicable | Not vulnerable | None | None \n6.x | None | Not applicable \n5.x | None | Not applicable \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nIf you have enabled TCP-pipelining, you can mitigate this vulnerability by disabling TCP-pipelining by adding the appropriate statement to the **named.conf **file. To do so, perform one of the following procedures:\n\n * [Disabling TCP-pipelining from the Configuration utility](<https://support.f5.com/csp/article/K15840535#gui>)\n * [Disabling TCP-pipelining by editing the named.conf file](<https://support.f5.com/csp/article/K15840535#cli>)\n\nDisabling TCP-pipelining from the Configuration utility\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **DNS** &gt; **Zones** &gt; **ZoneRunner** &gt; **named Configuration**.\n 3. To disable server TCP-pipelining, in the **named Options** box, add the following line to the **options **stanza: \n\nkeep-response-order { any; };\n\n 4. Select **Update**.\n\nDisabling TCP-pipelining by editing the named.conf file\n\n**Impact of action**: This procedure restarts the **named** service, which may affect the BIG-IP system responding to DNS queries.\n\n 1. Log in to the BIG-IP command line.\n 2. Navigate to **/var/named/config** by typing the following command: \n\ncd /var/named/config\n\n 3. Use a text editor to edit the** named.conf** file. \n\nFor example:\n\nvi named.conf\n\n 4. To disable server TCP-pipelining, add the following line to the **options **stanza: \n\nkeep-response-order { any; };\n\n 5. Save the changes and exit the file.\n 6. Restart the **named** service by typing the following command: \n\ntmsh restart /sys service named\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix and point release matrix](<https://support.f5.com/csp/article/K15113>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2020-02-10T10:48:00", "published": "2019-12-03T03:28:00", "id": "F5:K15840535", "href": "https://support.f5.com/csp/article/K15840535", "title": "BIND vulnerability CVE-2019-6477", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "symantec": [{"lastseen": "2019-11-22T15:24:28", "bulletinFamily": "software", "cvelist": ["CVE-2019-6477"], "description": "### Description\n\nISC BIND is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition.\n\n### Technologies Affected\n\n * ISC Bind 9.11.0 \n * ISC Bind 9.11.2 \n * ISC Bind 9.11.3 \n * ISC Bind 9.11.4 \n * ISC Bind 9.11.5 \n * ISC Bind 9.11.6 \n * ISC Bind 9.11.7 \n * ISC Bind 9.11.8 \n * ISC Bind 9.14.0 \n * ISC Bind 9.14.1 \n * ISC Bind 9.14.2 \n * ISC Bind 9.14.3 \n * ISC Bind 9.14.6 \n * ISC Bind 9.14.7 \n * ISC Bind 9.15.0 \n * ISC Bind 9.15.1 \n * ISC Bind 9.15.4 \n * ISC Bind 9.15.5 \n * Redhat Enterprise Linux 7 \n * Redhat Enterprise Linux 8 \n * Ubuntu Ubuntu Linux 18.04 LTS \n * Ubuntu Ubuntu Linux 19.04 \n * Ubuntu Ubuntu Linux 19.10 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nAllow only trusted hosts and networks to connect to computers running the affected software. This will limit the potential for remote attackers to exploit this issue.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to malformed requests and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-11-20T00:00:00", "published": "2019-11-20T00:00:00", "id": "SMNTC-110941", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110941", "type": "symantec", "title": "ISC BIND CVE-2019-6477 Remote Denial of Service Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-12-30T12:56:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477", "CVE-2018-5743"], "description": "ISC BIND is prone to a denial of service vulnerability as TCP-pipelined\n queries can bypass tcp-clients limit.", "modified": "2019-12-28T00:00:00", "published": "2019-11-22T00:00:00", "id": "OPENVAS:1361412562310143161", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143161", "type": "openvas", "title": "ISC BIND DoS Vulnerability - CVE-2019-6477 (Linux)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:isc:bind\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143161\");\n script_version(\"2019-12-28T10:21:15+0000\");\n script_tag(name:\"last_modification\", value:\"2019-12-28 10:21:15 +0000 (Sat, 28 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-22 02:45:53 +0000 (Fri, 22 Nov 2019)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2019-6477\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"ISC BIND DoS Vulnerability - CVE-2019-6477 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"bind_version.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"isc/bind/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"ISC BIND is prone to a denial of service vulnerability as TCP-pipelined\n queries can bypass tcp-clients limit.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"By design, BIND is intended to limit the number of TCP clients that can be\n connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND\n calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP\n client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a\n large number of DNS requests over a single connection. Each outstanding query will be handled internally as an\n independent client request, thus bypassing the new TCP clients limit.\");\n\n script_tag(name:\"impact\", value:\"With pipelining enabled each incoming query on a TCP connection requires a\n similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a\n TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle.\n When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively\n or from cache.\");\n\n script_tag(name:\"affected\", value:\"BIND 9.11.6-P1 - 9.11.12, 9.12.4-P1 - 9.12.4-P2, 9.14.1 - 9.14.7 and\n 9.11.5-S6 - 9.11.12-S1. Also affects all releases in the 9.15 development branch.\");\n\n script_tag(name:\"solution\", value:\"Update to version 9.11.13, 9.14.8, 9.15.6, 9.11.13-S1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://kb.isc.org/docs/cve-2019-6477\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!infos = get_app_version_and_proto(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif (version !~ \"^9\\.\")\n exit(99);\n\nif (version =~ \"^9\\.11\\.[0-9]s[0-9]\") {\n if (version_in_range(version: version, test_version: \"9.11.5s6\", test_version2: \"9.11.12s1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.11.13-S1\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n} else {\n if (version_in_range(version: version, test_version: \"9.11.6p1\", test_version2: \"9.11.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.11.13\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.12.4p1\", test_version2: \"9.12.4p2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.14.8\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.14.1\", test_version2: \"9.14.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.14.8\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.15.0\", test_version2: \"9.15.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.15.6\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-30T12:56:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477", "CVE-2018-5743"], "description": "ISC BIND is prone to a denial of service vulnerability as TCP-pipelined\n queries can bypass tcp-clients limit.", "modified": "2019-12-28T00:00:00", "published": "2019-11-22T00:00:00", "id": "OPENVAS:1361412562310143162", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143162", "type": "openvas", "title": "ISC BIND DoS Vulnerability - CVE-2019-6477 (Windows)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:isc:bind\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143162\");\n script_version(\"2019-12-28T10:21:15+0000\");\n script_tag(name:\"last_modification\", value:\"2019-12-28 10:21:15 +0000 (Sat, 28 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-22 03:02:09 +0000 (Fri, 22 Nov 2019)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2019-6477\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"ISC BIND DoS Vulnerability - CVE-2019-6477 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"bind_version.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"isc/bind/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"ISC BIND is prone to a denial of service vulnerability as TCP-pipelined\n queries can bypass tcp-clients limit.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"By design, BIND is intended to limit the number of TCP clients that can be\n connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND\n calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP\n client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a\n large number of DNS requests over a single connection. Each outstanding query will be handled internally as an\n independent client request, thus bypassing the new TCP clients limit.\");\n\n script_tag(name:\"impact\", value:\"With pipelining enabled each incoming query on a TCP connection requires a\n similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a\n TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle.\n When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively\n or from cache.\");\n\n script_tag(name:\"affected\", value:\"BIND 9.11.6-P1 - 9.11.12, 9.12.4-P1 - 9.12.4-P2, 9.14.1 - 9.14.7 and\n 9.11.5-S6 - 9.11.12-S1. Also affects all releases in the 9.15 development branch.\");\n\n script_tag(name:\"solution\", value:\"Update to version 9.11.13, 9.14.8, 9.15.6, 9.11.13-S1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://kb.isc.org/docs/cve-2019-6477\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!infos = get_app_version_and_proto(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif (version !~ \"^9\\.\")\n exit(99);\n\nif (version =~ \"^9\\.11\\.[0-9]s[0-9]\") {\n if (version_in_range(version: version, test_version: \"9.11.5s6\", test_version2: \"9.11.12s1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.11.13-S1\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n} else {\n if (version_in_range(version: version, test_version: \"9.11.6p1\", test_version2: \"9.11.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.11.13\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.12.4p1\", test_version2: \"9.12.4p2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.14.8\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.14.1\", test_version2: \"9.14.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.14.8\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.15.0\", test_version2: \"9.15.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.15.6\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-14T14:48:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "description": "The remote host is missing an update for the ", "modified": "2020-01-13T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310877129", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877129", "type": "openvas", "title": "Fedora Update for bind-dyndb-ldap FEDORA-2019-73a8737068", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877129\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:26:57 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for bind-dyndb-ldap FEDORA-2019-73a8737068\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-73a8737068\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind-dyndb-ldap'\n package(s) announced via the FEDORA-2019-73a8737068 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This package provides an LDAP back-end plug-in for BIND. It features\nsupport for dynamic updates and internal caching, to lift the load\noff of your LDAP server.\");\n\n script_tag(name:\"affected\", value:\"'bind-dyndb-ldap' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-dyndb-ldap\", rpm:\"bind-dyndb-ldap~11.2~2.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-14T14:48:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "description": "The remote host is missing an update for the ", "modified": "2020-01-13T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310877208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877208", "type": "openvas", "title": "Fedora Update for bind FEDORA-2019-73a8737068", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877208\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:31:32 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for bind FEDORA-2019-73a8737068\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-73a8737068\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAYHC7OZCN6L6SUFSQGMCJ5VQZZ4WPEC\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind'\n package(s) announced via the FEDORA-2019-73a8737068 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n(Domain Name System) protocols. BIND includes a DNS server (named),\nwhich resolves host names to IP addresses, a resolver library\n(routines for applications to use when interfacing with DNS), and\ntools for verifying that the DNS server is operating properly.\");\n\n script_tag(name:\"affected\", value:\"'bind' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.11.13~2.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-14T14:48:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "description": "The remote host is missing an update for the ", "modified": "2020-01-13T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310877268", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877268", "type": "openvas", "title": "Fedora Update for dnsperf FEDORA-2019-73a8737068", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877268\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:34:56 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for dnsperf FEDORA-2019-73a8737068\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-73a8737068\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7NS5FTL3GQEABOP5KU2R7ODZACLXF7KY\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dnsperf'\n package(s) announced via the FEDORA-2019-73a8737068 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This is dnsperf, a collection of DNS server performance testing tools.\nFor more information, see the dnsperf(1) and resperf(1) man pages.\");\n\n script_tag(name:\"affected\", value:\"'dnsperf' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dnsperf\", rpm:\"dnsperf~2.3.2~2.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-30T12:53:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "description": "The remote host is missing an update for the ", "modified": "2019-12-28T00:00:00", "published": "2019-11-22T00:00:00", "id": "OPENVAS:1361412562310844246", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844246", "type": "openvas", "title": "Ubuntu Update for bind9 USN-4197-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844246\");\n script_version(\"2019-12-28T10:21:15+0000\");\n script_cve_id(\"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-28 10:21:15 +0000 (Sat, 28 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-22 03:00:45 +0000 (Fri, 22 Nov 2019)\");\n script_name(\"Ubuntu Update for bind9 USN-4197-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.10|UBUNTU19\\.04)\");\n\n script_xref(name:\"USN\", value:\"4197-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-November/005216.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind9'\n package(s) announced via the USN-4197-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Bind incorrectly handled certain TCP-pipelined\nqueries. A remote attacker could possibly use this issue to cause Bind to\nconsume resources, resulting in a denial of service.\");\n\n script_tag(name:\"affected\", value:\"'bind9' package(s) on Ubuntu 19.10, Ubuntu 19.04, Ubuntu 18.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bind9\", ver:\"1:9.11.3+dfsg-1ubuntu1.11\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bind9\", ver:\"1:9.11.5.P4+dfsg-5.1ubuntu2.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bind9\", ver:\"1:9.11.5.P1+dfsg-1ubuntu2.6\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-30T12:47:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "description": "The remote host is missing an update for the ", "modified": "2019-12-28T00:00:00", "published": "2019-12-15T00:00:00", "id": "OPENVAS:1361412562310877077", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877077", "type": "openvas", "title": "Fedora Update for bind-dyndb-ldap FEDORA-2019-c703d2304a", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877077\");\n script_version(\"2019-12-28T10:21:15+0000\");\n script_cve_id(\"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-28 10:21:15 +0000 (Sat, 28 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-12-15 03:31:17 +0000 (Sun, 15 Dec 2019)\");\n script_name(\"Fedora Update for bind-dyndb-ldap FEDORA-2019-c703d2304a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-c703d2304a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind-dyndb-ldap'\n package(s) announced via the FEDORA-2019-c703d2304a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This package provides an LDAP back-end plug-in for BIND. It features\nsupport for dynamic updates and internal caching, to lift the load\noff of your LDAP server.\");\n\n script_tag(name:\"affected\", value:\"'bind-dyndb-ldap' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bind-dyndb-ldap\", rpm:\"bind-dyndb-ldap~11.1~20.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-30T12:42:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "description": "The remote host is missing an update for the ", "modified": "2019-12-28T00:00:00", "published": "2019-12-15T00:00:00", "id": "OPENVAS:1361412562310877085", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877085", "type": "openvas", "title": "Fedora Update for dnsperf FEDORA-2019-c703d2304a", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877085\");\n script_version(\"2019-12-28T10:21:15+0000\");\n script_cve_id(\"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-28 10:21:15 +0000 (Sat, 28 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-12-15 03:31:47 +0000 (Sun, 15 Dec 2019)\");\n script_name(\"Fedora Update for dnsperf FEDORA-2019-c703d2304a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-c703d2304a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HH3NNDXQLPKSELBOUF6XCGCVSBOSALI\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dnsperf'\n package(s) announced via the FEDORA-2019-c703d2304a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This is dnsperf, a collection of DNS server performance testing tools.\nFor more information, see the dnsperf(1) and resperf(1) man pages.\");\n\n script_tag(name:\"affected\", value:\"'dnsperf' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dnsperf\", rpm:\"dnsperf~2.3.2~2.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-30T12:43:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "description": "The remote host is missing an update for the ", "modified": "2019-12-28T00:00:00", "published": "2019-12-15T00:00:00", "id": "OPENVAS:1361412562310877087", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877087", "type": "openvas", "title": "Fedora Update for dhcp FEDORA-2019-c703d2304a", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877087\");\n script_version(\"2019-12-28T10:21:15+0000\");\n script_cve_id(\"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-28 10:21:15 +0000 (Sat, 28 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-12-15 03:31:48 +0000 (Sun, 15 Dec 2019)\");\n script_name(\"Fedora Update for dhcp FEDORA-2019-c703d2304a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-c703d2304a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JTJQQXZQMEC7IQDWUUCR27UPIT632M3\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dhcp'\n package(s) announced via the FEDORA-2019-c703d2304a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"DHCP (Dynamic Host Configuration Protocol)\");\n\n script_tag(name:\"affected\", value:\"'dhcp' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dhcp\", rpm:\"dhcp~4.3.6~38.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-30T12:42:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477", "CVE-2018-5743"], "description": "The remote host is missing an update for the ", "modified": "2019-12-28T00:00:00", "published": "2019-12-15T00:00:00", "id": "OPENVAS:1361412562310877080", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877080", "type": "openvas", "title": "Fedora Update for bind FEDORA-2019-c703d2304a", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877080\");\n script_version(\"2019-12-28T10:21:15+0000\");\n script_cve_id(\"CVE-2018-5743\", \"CVE-2019-6477\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-28 10:21:15 +0000 (Sat, 28 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-12-15 03:31:19 +0000 (Sun, 15 Dec 2019)\");\n script_name(\"Fedora Update for bind FEDORA-2019-c703d2304a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-c703d2304a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BECUKGXT5OFHDM26TSBQZLIPZZINETKW\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bind'\n package(s) announced via the FEDORA-2019-c703d2304a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n(Domain Name System) protocols. BIND includes a DNS server (named),\nwhich resolves host names to IP addresses, a resolver library\n(routines for applications to use when interfacing with DNS), and\ntools for verifying that the DNS server is operating properly.\");\n\n script_tag(name:\"affected\", value:\"'bind' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.11.13~2.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2020-04-30T19:33:52", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.\n\nThe following packages have been upgraded to a later upstream version: bind (9.11.13). (BZ#1704328)\n\nSecurity Fix(es):\n\n* bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.", "modified": "2020-04-28T14:49:30", "published": "2020-04-28T13:23:15", "id": "RHSA-2020:1845", "href": "https://access.redhat.com/errata/RHSA-2020:1845", "type": "redhat", "title": "(RHSA-2020:1845) Moderate: bind security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-02T17:39:57", "bulletinFamily": "unix", "cvelist": ["CVE-2018-5745", "CVE-2019-6465", "CVE-2019-6477"], "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.\n\nSecurity Fix(es):\n\n* bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477)\n\n* bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (CVE-2018-5745)\n\n* bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable (CVE-2019-6465)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.", "modified": "2020-03-31T14:11:15", "published": "2020-03-31T13:13:57", "id": "RHSA-2020:1061", "href": "https://access.redhat.com/errata/RHSA-2020:1061", "type": "redhat", "title": "(RHSA-2020:1061) Moderate: bind security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-08T07:41:39", "bulletinFamily": "unix", "cvelist": ["CVE-2018-5745", "CVE-2019-6465", "CVE-2019-6477", "CVE-2020-8551"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kubernetes: crafted requests to kubelet API allowed for memory exhaustion (CVE-2020-8551)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-08T11:06:56", "published": "2020-04-08T11:06:28", "id": "RHSA-2020:1277", "href": "https://access.redhat.com/errata/RHSA-2020:1277", "type": "redhat", "title": "(RHSA-2020:1277) Moderate: OpenShift Container Platform 4.3.10 openshift-enterprise-hyperkube-container security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:10:54", "description": "New bind packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.", "edition": 18, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-11-21T00:00:00", "title": "Slackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2019-324-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.0", "p-cpe:/a:slackware:slackware_linux:bind", "cpe:/o:slackware:slackware_linux"], "id": "SLACKWARE_SSA_2019-324-01.NASL", "href": "https://www.tenable.com/plugins/nessus/131178", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2019-324-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131178);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/12/20\");\n\n script_cve_id(\"CVE-2019-6477\");\n script_xref(name:\"SSA\", value:\"2019-324-01\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2019-324-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New bind packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.422136\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6ea7ff7d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6477\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"bind\", pkgver:\"9.11.13\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.11.13\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"bind\", pkgver:\"9.11.13\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.11.13\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"bind\", pkgver:\"9.11.13\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.11.13\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"bind\", pkgver:\"9.14.8\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"bind\", pkgver:\"9.14.8\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T02:27:30", "description": "New minor release with fix for latest CVE\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-12-13T00:00:00", "title": "Fedora 30 : 12:dhcp / 32:bind / bind-dyndb-ldap / dnsperf (2019-c703d2304a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:30", "p-cpe:/a:fedoraproject:fedora:12:dhcp", "p-cpe:/a:fedoraproject:fedora:dnsperf", "p-cpe:/a:fedoraproject:fedora:bind-dyndb-ldap", "p-cpe:/a:fedoraproject:fedora:32:bind"], "id": "FEDORA_2019-C703D2304A.NASL", "href": "https://www.tenable.com/plugins/nessus/132030", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-c703d2304a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132030);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/12/20\");\n\n script_cve_id(\"CVE-2019-6477\");\n script_xref(name:\"FEDORA\", value:\"2019-c703d2304a\");\n\n script_name(english:\"Fedora 30 : 12:dhcp / 32:bind / bind-dyndb-ldap / dnsperf (2019-c703d2304a)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New minor release with fix for latest CVE\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-c703d2304a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6477\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:12:dhcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:32:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-dyndb-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsperf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"dhcp-4.3.6-38.fc30\", epoch:\"12\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"bind-9.11.13-2.fc30\", epoch:\"32\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"bind-dyndb-ldap-11.1-20.fc30\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"dnsperf-2.3.2-2.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"12:dhcp / 32:bind / bind-dyndb-ldap / dnsperf\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T02:24:11", "description": "New [minor\nrelease](https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bin\nd-9.11.13.html) with fix for latest CVE.\n\nIncludes TCP high-water in rndc status.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-12-03T00:00:00", "title": "Fedora 31 : 32:bind / bind-dyndb-ldap / dnsperf (2019-73a8737068)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dnsperf", "p-cpe:/a:fedoraproject:fedora:bind-dyndb-ldap", "p-cpe:/a:fedoraproject:fedora:32:bind", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-73A8737068.NASL", "href": "https://www.tenable.com/plugins/nessus/131450", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-73a8737068.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131450);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/12/20\");\n\n script_cve_id(\"CVE-2019-6477\");\n script_xref(name:\"FEDORA\", value:\"2019-73a8737068\");\n\n script_name(english:\"Fedora 31 : 32:bind / bind-dyndb-ldap / dnsperf (2019-73a8737068)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New [minor\nrelease](https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bin\nd-9.11.13.html) with fix for latest CVE.\n\nIncludes TCP high-water in rndc status.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-73a8737068\"\n );\n # https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bind-9.11.13.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e917ef54\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected 32:bind, bind-dyndb-ldap and / or dnsperf\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6477\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:32:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-dyndb-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsperf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"bind-9.11.13-2.fc31\", epoch:\"32\")) flag++;\nif (rpm_check(release:\"FC31\", reference:\"bind-dyndb-ldap-11.2-2.fc31\")) flag++;\nif (rpm_check(release:\"FC31\", reference:\"dnsperf-2.3.2-2.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"32:bind / bind-dyndb-ldap / dnsperf\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-19T05:30:31", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1845 advisory.\n\n - bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {}, "published": "2020-04-28T00:00:00", "title": "RHEL 8 : bind (RHSA-2020:1845)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "modified": "2020-04-28T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:bind-debugsource", "p-cpe:/a:redhat:enterprise_linux:bind-sdb-chroot", "p-cpe:/a:redhat:enterprise_linux:bind-lite-devel", "cpe:/o:redhat:rhel_tus:8.2", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "p-cpe:/a:redhat:enterprise_linux:bind-chroot", "p-cpe:/a:redhat:enterprise_linux:python3-bind", "cpe:/o:redhat:rhel_eus:8.4", "p-cpe:/a:redhat:enterprise_linux:bind-export-devel", "p-cpe:/a:redhat:enterprise_linux:bind-devel", "cpe:/a:redhat:rhel_eus:8.4::appstream", "cpe:/o:redhat:rhel_eus:8.2::baseos", "cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/o:redhat:rhel_e4s:8.2", "p-cpe:/a:redhat:enterprise_linux:bind-pkcs11", "cpe:/o:redhat:rhel_aus:8.2::baseos", "p-cpe:/a:redhat:enterprise_linux:bind-license", "p-cpe:/a:redhat:enterprise_linux:bind-pkcs11-devel", "cpe:/a:redhat:rhel_tus:8.2::appstream", "p-cpe:/a:redhat:enterprise_linux:bind-libs-lite", "cpe:/a:redhat:enterprise_linux:8::appstream", "p-cpe:/a:redhat:enterprise_linux:bind-libs", "cpe:/o:redhat:rhel_tus:8.2::baseos", "cpe:/o:redhat:rhel_aus:8.2", "p-cpe:/a:redhat:enterprise_linux:bind-pkcs11-utils", "cpe:/a:redhat:rhel_aus:8.2::appstream", "p-cpe:/a:redhat:enterprise_linux:bind-export-libs", "p-cpe:/a:redhat:enterprise_linux:bind-pkcs11-libs", "cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_eus:8.2", "p-cpe:/a:redhat:enterprise_linux:bind-utils", "p-cpe:/a:redhat:enterprise_linux:bind", "cpe:/o:redhat:rhel_e4s:8.2::baseos", "cpe:/a:redhat:rhel_eus:8.2::appstream", "cpe:/o:redhat:rhel_eus:8.4::baseos", "p-cpe:/a:redhat:enterprise_linux:bind-sdb"], "id": "REDHAT-RHSA-2020-1845.NASL", "href": "https://www.tenable.com/plugins/nessus/136043", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1845. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136043);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/18\");\n\n script_cve_id(\"CVE-2019-6477\");\n script_xref(name:\"RHSA\", value:\"2020:1845\");\n\n script_name(english:\"RHEL 8 : bind (RHSA-2020:1845)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1845 advisory.\n\n - bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-6477\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:1845\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1773617\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6477\");\n script_cwe_id(400);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_aus:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.4::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_tus:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-export-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-export-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-libs-lite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-license\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-lite-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-pkcs11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-pkcs11-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-pkcs11-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-sdb-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-bind\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'enterprise_linux_8_appstream': [\n 'rhel-8-for-aarch64-appstream-debug-rpms',\n 'rhel-8-for-aarch64-appstream-rpms',\n 'rhel-8-for-aarch64-appstream-source-rpms',\n 'rhel-8-for-s390x-appstream-debug-rpms',\n 'rhel-8-for-s390x-appstream-rpms',\n 'rhel-8-for-s390x-appstream-source-rpms',\n 'rhel-8-for-x86_64-appstream-debug-rpms',\n 'rhel-8-for-x86_64-appstream-rpms',\n 'rhel-8-for-x86_64-appstream-source-rpms'\n ],\n 'enterprise_linux_8_baseos': [\n 'rhel-8-for-aarch64-baseos-debug-rpms',\n 'rhel-8-for-aarch64-baseos-rpms',\n 'rhel-8-for-aarch64-baseos-source-rpms',\n 'rhel-8-for-s390x-baseos-debug-rpms',\n 'rhel-8-for-s390x-baseos-rpms',\n 'rhel-8-for-s390x-baseos-source-rpms',\n 'rhel-8-for-x86_64-baseos-debug-rpms',\n 'rhel-8-for-x86_64-baseos-rpms',\n 'rhel-8-for-x86_64-baseos-source-rpms'\n ],\n 'rhel_eus_8_2_appstream': [\n 'rhel-8-for-aarch64-appstream-eus-debug-rpms',\n 'rhel-8-for-aarch64-appstream-eus-rpms',\n 'rhel-8-for-aarch64-appstream-eus-source-rpms',\n 'rhel-8-for-s390x-appstream-eus-debug-rpms',\n 'rhel-8-for-s390x-appstream-eus-rpms',\n 'rhel-8-for-s390x-appstream-eus-source-rpms',\n 'rhel-8-for-x86_64-appstream-aus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-aus-rpms',\n 'rhel-8-for-x86_64-appstream-aus-source-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms',\n 'rhel-8-for-x86_64-appstream-eus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-eus-rpms',\n 'rhel-8-for-x86_64-appstream-eus-source-rpms',\n 'rhel-8-for-x86_64-appstream-tus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-tus-rpms',\n 'rhel-8-for-x86_64-appstream-tus-source-rpms'\n ],\n 'rhel_eus_8_2_baseos': [\n 'rhel-8-for-aarch64-baseos-eus-debug-rpms',\n 'rhel-8-for-aarch64-baseos-eus-rpms',\n 'rhel-8-for-aarch64-baseos-eus-source-rpms',\n 'rhel-8-for-s390x-baseos-eus-debug-rpms',\n 'rhel-8-for-s390x-baseos-eus-rpms',\n 'rhel-8-for-s390x-baseos-eus-source-rpms',\n 'rhel-8-for-x86_64-baseos-aus-debug-rpms',\n 'rhel-8-for-x86_64-baseos-aus-rpms',\n 'rhel-8-for-x86_64-baseos-aus-source-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-debug-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-source-rpms',\n 'rhel-8-for-x86_64-baseos-eus-debug-rpms',\n 'rhel-8-for-x86_64-baseos-eus-rpms',\n 'rhel-8-for-x86_64-baseos-eus-source-rpms',\n 'rhel-8-for-x86_64-baseos-tus-debug-rpms',\n 'rhel-8-for-x86_64-baseos-tus-rpms',\n 'rhel-8-for-x86_64-baseos-tus-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:1845');\n}\n\npkgs = [\n {'reference':'bind-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-chroot-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-chroot-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-chroot-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-debugsource-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-debugsource-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-debugsource-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-debugsource-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-devel-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-devel-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-devel-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-devel-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-devel-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-devel-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-devel-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-devel-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-libs-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-libs-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-libs-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-export-libs-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-lite-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-lite-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-lite-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-libs-lite-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-license-9.11.13-3.el8', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-lite-devel-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-lite-devel-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-lite-devel-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-lite-devel-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-devel-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-devel-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-devel-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-devel-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-libs-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-libs-9.11.13-3.el8', 'cpu':'i686', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-libs-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-libs-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-utils-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-utils-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-pkcs11-utils-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-sdb-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-sdb-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-sdb-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-sdb-chroot-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-sdb-chroot-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-sdb-chroot-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-utils-9.11.13-3.el8', 'cpu':'aarch64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-utils-9.11.13-3.el8', 'cpu':'s390x', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'bind-utils-9.11.13-3.el8', 'cpu':'x86_64', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']},\n {'reference':'python3-bind-9.11.13-3.el8', 'release':'8', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'32', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'rhel_eus_8_2_appstream', 'rhel_eus_8_2_baseos']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bind / bind-chroot / bind-debugsource / bind-devel / bind-export-devel / etc');\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-10T09:29:54", "description": "With pipelining enabled each incoming query on a TCP connection\nrequires a similar resource allocation to a query received via UDP or\nvia TCP without pipelining enabled. A client using a TCP-pipelined\nconnection to a server could consume more resources than the server\nhas been provisioned to handle. When a TCP connection with a large\nnumber of pipelined queries is closed, the load on the server\nreleasing these multiple resources can cause it to become\nunresponsive, even for queries that can be answered authoritatively or\nfrom cache. (This is most likely to be perceived as an intermittent\nserver problem). (CVE-2019-6477)\n\nImpact\n\nAn attacker may be able to use TCP-pipelined queries to increase the\nload on the system, causing it to become unresponsive.", "edition": 7, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-02-12T00:00:00", "title": "F5 Networks BIG-IP : BIND vulnerability (K15840535)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "modified": "2020-02-12T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL15840535.NASL", "href": "https://www.tenable.com/plugins/nessus/133625", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K15840535.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133625);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/09\");\n\n script_cve_id(\"CVE-2019-6477\");\n\n script_name(english:\"F5 Networks BIG-IP : BIND vulnerability (K15840535)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"With pipelining enabled each incoming query on a TCP connection\nrequires a similar resource allocation to a query received via UDP or\nvia TCP without pipelining enabled. A client using a TCP-pipelined\nconnection to a server could consume more resources than the server\nhas been provisioned to handle. When a TCP connection with a large\nnumber of pipelined queries is closed, the load on the server\nreleasing these multiple resources can cause it to become\nunresponsive, even for queries that can be answered authoritatively or\nfrom cache. (This is most likely to be perceived as an intermittent\nserver problem). (CVE-2019-6477)\n\nImpact\n\nAn attacker may be able to use TCP-pipelined queries to increase the\nload on the system, causing it to become unresponsive.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K15840535\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K15840535.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K15840535\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"15.0.1-15.1.0\",\"14.1.1-14.1.2\",\"13.1.2-13.1.3\",\"12.1.5\",\"11.6.5\",\"11.5.10\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"16.0.0\",\"14.1.2.5\",\"13.1.3.4\",\"12.1.5.1\",\"11.6.5.2\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-18T11:02:30", "description": "It was discovered that Bind incorrectly handled certain TCP-pipelined\nqueries. A remote attacker could possibly use this issue to cause Bind\nto consume resources, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 15, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-11-22T00:00:00", "title": "Ubuntu 18.04 LTS / 19.04 / 19.10 : Bind vulnerability (USN-4197-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "modified": "2019-11-22T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:bind9", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.04", "cpe:/o:canonical:ubuntu_linux:19.10"], "id": "UBUNTU_USN-4197-1.NASL", "href": "https://www.tenable.com/plugins/nessus/131225", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4197-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131225);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2019-6477\");\n script_xref(name:\"USN\", value:\"4197-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 19.04 / 19.10 : Bind vulnerability (USN-4197-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Bind incorrectly handled certain TCP-pipelined\nqueries. A remote attacker could possibly use this issue to cause Bind\nto consume resources, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4197-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind9 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6477\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:bind9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|19\\.04|19\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04 / 19.04 / 19.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"bind9\", pkgver:\"1:9.11.3+dfsg-1ubuntu1.11\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"bind9\", pkgver:\"1:9.11.5.P1+dfsg-1ubuntu2.6\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"bind9\", pkgver:\"1:9.11.5.P4+dfsg-5.1ubuntu2.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind9\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-23T00:58:11", "description": "A denial of service (DoS) vulnerability exists in ISC BIND 9 due to TCP Client issues. \nAn unauthenticated, remote attacker can exploit this issue, via DNS Request, to cause \nthe device to stop responding.", "edition": 9, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-12-06T00:00:00", "title": "ISC BIND 9.11.0 / 9.11.x < 9.11.13 / 9.11.x < 9.11.13-S1 / 9.12.x < 9.12.5-P2 / 9.14.x < 9.14.8 / 9.15 / 9.15.x < 9.15.6 Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477"], "modified": "2019-12-06T00:00:00", "cpe": ["cpe:/a:isc:bind"], "id": "BIND9_9156.NASL", "href": "https://www.tenable.com/plugins/nessus/131735", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131735);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/22\");\n\n script_cve_id(\"CVE-2019-6477\");\n script_xref(name:\"IAVA\", value:\"2019-A-0434-S\");\n\n script_name(english:\"ISC BIND 9.11.0 / 9.11.x < 9.11.13 / 9.11.x < 9.11.13-S1 / 9.12.x < 9.12.5-P2 / 9.14.x < 9.14.8 / 9.15 / 9.15.x < 9.15.6 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote name server is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A denial of service (DoS) vulnerability exists in ISC BIND 9 due to TCP Client issues. \nAn unauthenticated, remote attacker can exploit this issue, via DNS Request, to cause \nthe device to stop responding.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.isc.org/docs/cve-2019-6477\");\n script_set_attribute(attribute:\"see_also\", value:\"https://nvd.nist.gov/vuln/detail/CVE-2019-6477\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the appropriate version of BIND.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6477\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:isc:bind\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bind_version.nasl\");\n script_require_keys(\"bind/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvcf::bind::initialize();\n\napp_info = vcf::get_app_info(app:'BIND', port:53, kb_ver:'bind/version', service:TRUE, proto:'UDP');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nconstraints = [\n { 'equal' : '9.11.0' },\n { 'min_version' : '9.11.6-P1', 'max_version' : '9.11.12' , 'fixed_version' : '9.11.13'},\n { 'min_version' : '9.11.5-S6', 'max_version' : '9.11.12-S1', 'fixed_version' : '9.11.13-S1'},\n { 'min_version' : '9.12.4-P1', 'max_version' : '9.12.4-P2', 'fixed_version' : '9.12.5'},\n { 'min_version' : '9.14.1', 'max_version' : '9.14.7', 'fixed_version' : '9.14.8' },\n { 'min_version' : '9.15.0', 'max_version' : '9.15.5', 'fixed_version' : '9.15.6' }\n];\nconstraints = vcf::bind::filter_constraints(constraints:constraints, version:app_info.version);\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:03:29", "description": "According to the versions of the bind packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - A programming error in the nxdomain-redirect feature\n can cause an assertion failure in query.c if the\n alternate namespace used by nxdomain-redirect is a\n descendant of a zone that is served locally. The most\n likely scenario where this might occur is if the\n server, in addition to performing NXDOMAIN redirection\n for recursive clients, is also serving a local copy of\n the root zone or using mirroring to provide the root\n zone, although other configurations are also possible.\n Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also\n affects all releases in the 9.13 development\n branch.(CVE-2019-6467)\n\n - With pipelining enabled each incoming query on a TCP\n connection requires a similar resource allocation to a\n query received via UDP or via TCP without pipelining\n enabled. A client using a TCP-pipelined connection to a\n server could consume more resources than the server has\n been provisioned to handle. When a TCP connection with\n a large number of pipelined queries is closed, the load\n on the server releasing these multiple resources can\n cause it to become unresponsive, even for queries that\n can be answered authoritatively or from cache. (This is\n most likely to be perceived as an intermittent server\n problem).(CVE-2019-6477)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-04-02T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.6.0 : bind (EulerOS-SA-2020-1355)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477", "CVE-2019-6467"], "modified": "2020-04-02T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python3-bind", "p-cpe:/a:huawei:euleros:bind-libs", "cpe:/o:huawei:euleros:uvp:3.0.6.0", "p-cpe:/a:huawei:euleros:bind-utils", "p-cpe:/a:huawei:euleros:bind-export-libs", "p-cpe:/a:huawei:euleros:bind-libs-lite", "p-cpe:/a:huawei:euleros:bind-license"], "id": "EULEROS_SA-2020-1355.NASL", "href": "https://www.tenable.com/plugins/nessus/135142", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135142);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-6467\",\n \"CVE-2019-6477\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.6.0 : bind (EulerOS-SA-2020-1355)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the bind packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - A programming error in the nxdomain-redirect feature\n can cause an assertion failure in query.c if the\n alternate namespace used by nxdomain-redirect is a\n descendant of a zone that is served locally. The most\n likely scenario where this might occur is if the\n server, in addition to performing NXDOMAIN redirection\n for recursive clients, is also serving a local copy of\n the root zone or using mirroring to provide the root\n zone, although other configurations are also possible.\n Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also\n affects all releases in the 9.13 development\n branch.(CVE-2019-6467)\n\n - With pipelining enabled each incoming query on a TCP\n connection requires a similar resource allocation to a\n query received via UDP or via TCP without pipelining\n enabled. A client using a TCP-pipelined connection to a\n server could consume more resources than the server has\n been provisioned to handle. When a TCP connection with\n a large number of pipelined queries is closed, the load\n on the server releasing these multiple resources can\n cause it to become unresponsive, even for queries that\n can be answered authoritatively or from cache. (This is\n most likely to be perceived as an intermittent server\n problem).(CVE-2019-6477)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1355\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2cc9ca9c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bind packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-export-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-libs-lite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-license\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"bind-export-libs-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-libs-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-libs-lite-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-license-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-utils-9.11.4-10.P2.h19.eulerosv2r8\",\n \"python3-bind-9.11.4-10.P2.h19.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:02:24", "description": "According to the versions of the bind packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - With pipelining enabled each incoming query on a TCP\n connection requires a similar resource allocation to a\n query received via UDP or via TCP without pipelining\n enabled. A client using a TCP-pipelined connection to a\n server could consume more resources than the server has\n been provisioned to handle. When a TCP connection with\n a large number of pipelined queries is closed, the load\n on the server releasing these multiple resources can\n cause it to become unresponsive, even for queries that\n can be answered authoritatively or from cache. (This is\n most likely to be perceived as an intermittent server\n problem).(CVE-2019-6477)\n\n - A programming error in the nxdomain-redirect feature\n can cause an assertion failure in query.c if the\n alternate namespace used by nxdomain-redirect is a\n descendant of a zone that is served locally. The most\n likely scenario where this might occur is if the\n server, in addition to performing NXDOMAIN redirection\n for recursive clients, is also serving a local copy of\n the root zone or using mirroring to provide the root\n zone, although other configurations are also possible.\n Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also\n affects all releases in the 9.13 development\n branch.(CVE-2019-6467)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-02-25T00:00:00", "title": "EulerOS 2.0 SP8 : bind (EulerOS-SA-2020-1141)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477", "CVE-2019-6467"], "modified": "2020-02-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python3-bind", "p-cpe:/a:huawei:euleros:bind-libs", "p-cpe:/a:huawei:euleros:bind-export-devel", "p-cpe:/a:huawei:euleros:bind-utils", "p-cpe:/a:huawei:euleros:bind-pkcs11", "p-cpe:/a:huawei:euleros:bind-pkcs11-libs", "p-cpe:/a:huawei:euleros:bind-export-libs", "p-cpe:/a:huawei:euleros:bind-libs-lite", "p-cpe:/a:huawei:euleros:bind-pkcs11-utils", "p-cpe:/a:huawei:euleros:bind-license", "p-cpe:/a:huawei:euleros:bind", "cpe:/o:huawei:euleros:2.0", "p-cpe:/a:huawei:euleros:bind-chroot"], "id": "EULEROS_SA-2020-1141.NASL", "href": "https://www.tenable.com/plugins/nessus/133975", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133975);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-6467\",\n \"CVE-2019-6477\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : bind (EulerOS-SA-2020-1141)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the bind packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - With pipelining enabled each incoming query on a TCP\n connection requires a similar resource allocation to a\n query received via UDP or via TCP without pipelining\n enabled. A client using a TCP-pipelined connection to a\n server could consume more resources than the server has\n been provisioned to handle. When a TCP connection with\n a large number of pipelined queries is closed, the load\n on the server releasing these multiple resources can\n cause it to become unresponsive, even for queries that\n can be answered authoritatively or from cache. (This is\n most likely to be perceived as an intermittent server\n problem).(CVE-2019-6477)\n\n - A programming error in the nxdomain-redirect feature\n can cause an assertion failure in query.c if the\n alternate namespace used by nxdomain-redirect is a\n descendant of a zone that is served locally. The most\n likely scenario where this might occur is if the\n server, in addition to performing NXDOMAIN redirection\n for recursive clients, is also serving a local copy of\n the root zone or using mirroring to provide the root\n zone, although other configurations are also possible.\n Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also\n affects all releases in the 9.13 development\n branch.(CVE-2019-6467)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1141\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b140587a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bind packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-export-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-export-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-libs-lite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-license\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-pkcs11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-pkcs11-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-pkcs11-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"bind-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-chroot-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-export-devel-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-export-libs-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-libs-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-libs-lite-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-license-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-pkcs11-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-pkcs11-libs-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-pkcs11-utils-9.11.4-10.P2.h19.eulerosv2r8\",\n \"bind-utils-9.11.4-10.P2.h19.eulerosv2r8\",\n \"python3-bind-9.11.4-10.P2.h19.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-11T11:58:14", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has bind packages installed that are affected by\nmultiple vulnerabilities:\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust\n anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys\n feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,\n during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions\n 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones\n are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and\n versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to\n a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection\n to a server could consume more resources than the server has been provisioned to handle. When a TCP\n connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered\n authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 1, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2020-12-09T00:00:00", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : bind Multiple Vulnerabilities (NS-SA-2020-0095)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6477", "CVE-2018-5745", "CVE-2019-6465"], "modified": "2020-12-09T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2020-0095_BIND.NASL", "href": "https://www.tenable.com/plugins/nessus/144003", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2020-0095. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144003);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/10\");\n\n script_cve_id(\"CVE-2018-5745\", \"CVE-2019-6465\", \"CVE-2019-6477\");\n script_bugtraq_id(107140, 107142);\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : bind Multiple Vulnerabilities (NS-SA-2020-0095)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has bind packages installed that are affected by\nmultiple vulnerabilities:\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust\n anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys\n feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,\n during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions\n 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones\n are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and\n versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to\n a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection\n to a server could consume more resources than the server has been provisioned to handle. When a TCP\n connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered\n authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2020-0095\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL bind packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6465\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL CORE 5.05': [\n 'bind-9.11.4-16.P2.el7_8.2',\n 'bind-chroot-9.11.4-16.P2.el7_8.2',\n 'bind-debuginfo-9.11.4-16.P2.el7_8.2',\n 'bind-devel-9.11.4-16.P2.el7_8.2',\n 'bind-export-devel-9.11.4-16.P2.el7_8.2',\n 'bind-export-libs-9.11.4-16.P2.el7_8.2',\n 'bind-libs-9.11.4-16.P2.el7_8.2',\n 'bind-libs-lite-9.11.4-16.P2.el7_8.2',\n 'bind-license-9.11.4-16.P2.el7_8.2',\n 'bind-lite-devel-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-devel-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-libs-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-utils-9.11.4-16.P2.el7_8.2',\n 'bind-sdb-9.11.4-16.P2.el7_8.2',\n 'bind-sdb-chroot-9.11.4-16.P2.el7_8.2',\n 'bind-utils-9.11.4-16.P2.el7_8.2'\n ],\n 'CGSL MAIN 5.05': [\n 'bind-9.11.4-16.P2.el7_8.2',\n 'bind-chroot-9.11.4-16.P2.el7_8.2',\n 'bind-debuginfo-9.11.4-16.P2.el7_8.2',\n 'bind-devel-9.11.4-16.P2.el7_8.2',\n 'bind-export-devel-9.11.4-16.P2.el7_8.2',\n 'bind-export-libs-9.11.4-16.P2.el7_8.2',\n 'bind-libs-9.11.4-16.P2.el7_8.2',\n 'bind-libs-lite-9.11.4-16.P2.el7_8.2',\n 'bind-license-9.11.4-16.P2.el7_8.2',\n 'bind-lite-devel-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-devel-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-libs-9.11.4-16.P2.el7_8.2',\n 'bind-pkcs11-utils-9.11.4-16.P2.el7_8.2',\n 'bind-sdb-9.11.4-16.P2.el7_8.2',\n 'bind-sdb-chroot-9.11.4-16.P2.el7_8.2',\n 'bind-utils-9.11.4-16.P2.el7_8.2'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bind');\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "oraclelinux": [{"lastseen": "2020-06-04T23:26:19", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "[32:9.11.13-3]\n- Fix rwlock to be thread-safe (#1740511)\n[32:9.11.13-2]\n- Release GeoIP data on reload (#1790879)\n[32:9.11.13-1]\n- Update to 9.11.13\n[32:9.11.12-5]\n- Report failures on systemctl reload (#1739428)\n[32:9.11.12-4]\n- dhcp: Use monotonic time for detecting time jumps if available (#1729211)\n[32:9.11.12-3]\n- Backported serve-stale feature (#1664863)\n[32:9.11.12-2]\n- Add GeoLite2 support (#1564443)\n- Add GeoIP to bind-chroot (#1497646)\n- Fix wrong default GeoIP directory (#1768258)\n[32:9.11.12-1]\n- Update to 9.11.12 (#1557762)\n[32:9.11.11-1]\n- Update to 9.11.11\n[32:9.11.10-1]\n- Update to 9.11.10\n- Share pkcs11-utils and dnssec-utils manuals instead of recommend\n[32:9.11.7-1]\n- Update to 9.11.7", "edition": 1, "modified": "2020-05-05T00:00:00", "published": "2020-05-05T00:00:00", "id": "ELSA-2020-1845", "href": "http://linux.oracle.com/errata/ELSA-2020-1845.html", "title": "bind security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-09T02:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477", "CVE-2018-5745", "CVE-2019-6465"], "description": "[32:9.11.4-16.P2]\n- Finish dig query when name is too long (#1743572)\n[32:9.11.4-15.P2]\n- Stop listening on IPv6 by default (#1753259)\n[32:9.11.4-14.P2]\n- Limit number of queries per TCP connection (CVE-2019-6477)\n[32:9.11.4-13.P2]\n- Revert not searching names with dot (#1743572)\n[32:9.11.4-12.P2]\n- Fix mkeys test validating CVE-2018-5745 fix\n[32:9.11.4-11.P2]\n- Use monotonic time in export library (#1093803)\n[32:9.11.4-10.P2]\n- Fix CVE-2018-5745\n- Fix CVE-2019-6465", "edition": 1, "modified": "2020-04-06T00:00:00", "published": "2020-04-06T00:00:00", "id": "ELSA-2020-1061", "href": "http://linux.oracle.com/errata/ELSA-2020-1061.html", "title": "bind security and bug fix update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:38:50", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "It was discovered that Bind incorrectly handled certain TCP-pipelined \nqueries. A remote attacker could possibly use this issue to cause Bind to \nconsume resources, resulting in a denial of service.", "edition": 3, "modified": "2019-11-21T00:00:00", "published": "2019-11-21T00:00:00", "id": "USN-4197-1", "href": "https://ubuntu.com/security/notices/USN-4197-1", "title": "Bind vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cisa": [{"lastseen": "2020-12-18T18:06:47", "bulletinFamily": "info", "cvelist": ["CVE-2019-6477"], "description": "The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the [ISC advisory](<https://kb.isc.org/docs/cve-2019-6477>) for more information and to apply the necessary updates and workarounds.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2019/11/21/isc-releases-security-advisory-bind>); we'd welcome your feedback.\n", "modified": "2019-11-21T00:00:00", "published": "2019-11-21T00:00:00", "id": "CISA:DAFCE21DF0563670DD66521828397307", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/11/21/isc-releases-security-advisory-bind", "type": "cisa", "title": "ISC Releases Security Advisory for BIND", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:35:59", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "New bind packages are available for Slackware 14.0, 14.1, 14.2, and -current to\nfix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/bind-9.11.13-i586-1_slack14.2.txz: Upgraded.\n This update fixes a security issue:\n Set a limit on the number of concurrently served pipelined TCP queries.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6477\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.11.13-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.11.13-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bind-9.11.13-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bind-9.11.13-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bind-9.11.13-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bind-9.11.13-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.14.8-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.14.8-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\na04b71235a460444f9103b4d8eb9a196 bind-9.11.13-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n54cec32b6bdb53daeb07d47c6b226821 bind-9.11.13-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n71fffdb9f3bfdb8ef585981f5542ce2d bind-9.11.13-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n3653dc3b6d8e49a263fc812716fd1b82 bind-9.11.13-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n98f26d1f2bb128b69eca57a338dcb9ef bind-9.11.13-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n1dda823d4a09a7668969676c7e316ede bind-9.11.13-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n7d1d9a7c6e08a46b802363a95426c546 n/bind-9.14.8-i586-1.txz\n\nSlackware x86_64 -current package:\n6de17e03097afa7a37ce2f0a3f9b6449 n/bind-9.14.8-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bind-9.11.13-i586-1_slack14.2.txz\n\nThen, restart the name server:\n\n > /etc/rc.d/rc.bind restart", "modified": "2019-11-21T04:26:08", "published": "2019-11-21T04:26:08", "id": "SSA-2019-324-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.422136", "type": "slackware", "title": "[slackware-security] bind", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server. ", "modified": "2019-11-29T00:55:12", "published": "2019-11-29T00:55:12", "id": "FEDORA:5126B611CF9B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: bind-dyndb-ldap-11.2-2.fc31", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. ", "modified": "2019-11-29T00:55:11", "published": "2019-11-29T00:55:11", "id": "FEDORA:D649C611A7FD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: bind-9.11.13-2.fc31", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server. ", "modified": "2019-12-13T01:04:41", "published": "2019-12-13T01:04:41", "id": "FEDORA:5520F627F513", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: bind-dyndb-ldap-11.1-20.fc30", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf(1) and resperf(1) man pages. ", "modified": "2019-12-13T01:04:41", "published": "2019-12-13T01:04:41", "id": "FEDORA:C242B627C924", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: dnsperf-2.3.2-2.fc30", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477"], "description": "DHCP (Dynamic Host Configuration Protocol) ", "modified": "2019-12-13T01:04:41", "published": "2019-12-13T01:04:41", "id": "FEDORA:717EB6291CAC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: dhcp-4.3.6-38.fc30", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-5743", "CVE-2019-6477"], "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. ", "modified": "2019-12-13T01:04:40", "published": "2019-12-13T01:04:40", "id": "FEDORA:BF4FB6291CB6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: bind-9.11.13-2.fc30", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2020-04-08T22:42:26", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477", "CVE-2018-5745", "CVE-2019-6465"], "description": "**CentOS Errata and Security Advisory** CESA-2020:1061\n\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.\n\nSecurity Fix(es):\n\n* bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477)\n\n* bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (CVE-2018-5745)\n\n* bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable (CVE-2019-6465)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012415.html\n\n**Affected packages:**\nbind\nbind-chroot\nbind-devel\nbind-export-devel\nbind-export-libs\nbind-libs\nbind-libs-lite\nbind-license\nbind-lite-devel\nbind-pkcs11\nbind-pkcs11-devel\nbind-pkcs11-libs\nbind-pkcs11-utils\nbind-sdb\nbind-sdb-chroot\nbind-utils\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-04-08T17:45:58", "published": "2020-04-08T17:45:58", "id": "CESA-2020:1061", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2020-April/012415.html", "title": "bind security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:35:27", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477", "CVE-2018-5745", "CVE-2019-6465"], "description": "**Issue Overview:**\n\n\"managed-keys\" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to [CVE-2018-5745 __](<https://access.redhat.com/security/cve/CVE-2018-5745>). ([CVE-2018-5745 __](<https://access.redhat.com/security/cve/CVE-2018-5745>))\n\nWith pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem). ([CVE-2019-6477 __](<https://access.redhat.com/security/cve/CVE-2019-6477>))\n\nControls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to [CVE-2019-6465 __](<https://access.redhat.com/security/cve/CVE-2019-6465>). ([CVE-2019-6465 __](<https://access.redhat.com/security/cve/CVE-2019-6465>))\n\n \n**Affected Packages:** \n\n\nbind\n\n \n**Issue Correction:** \nRun _yum update bind_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n bind-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-pkcs11-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-pkcs11-utils-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-pkcs11-libs-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-pkcs11-devel-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-sdb-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-libs-lite-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-libs-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-utils-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-devel-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-lite-devel-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-chroot-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-sdb-chroot-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-export-libs-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-export-devel-9.11.4-9.P2.amzn2.0.4.aarch64 \n bind-debuginfo-9.11.4-9.P2.amzn2.0.4.aarch64 \n \n i686: \n bind-9.11.4-9.P2.amzn2.0.4.i686 \n bind-pkcs11-9.11.4-9.P2.amzn2.0.4.i686 \n bind-pkcs11-utils-9.11.4-9.P2.amzn2.0.4.i686 \n bind-pkcs11-libs-9.11.4-9.P2.amzn2.0.4.i686 \n bind-pkcs11-devel-9.11.4-9.P2.amzn2.0.4.i686 \n bind-sdb-9.11.4-9.P2.amzn2.0.4.i686 \n bind-libs-lite-9.11.4-9.P2.amzn2.0.4.i686 \n bind-libs-9.11.4-9.P2.amzn2.0.4.i686 \n bind-utils-9.11.4-9.P2.amzn2.0.4.i686 \n bind-devel-9.11.4-9.P2.amzn2.0.4.i686 \n bind-lite-devel-9.11.4-9.P2.amzn2.0.4.i686 \n bind-chroot-9.11.4-9.P2.amzn2.0.4.i686 \n bind-sdb-chroot-9.11.4-9.P2.amzn2.0.4.i686 \n bind-export-libs-9.11.4-9.P2.amzn2.0.4.i686 \n bind-export-devel-9.11.4-9.P2.amzn2.0.4.i686 \n bind-debuginfo-9.11.4-9.P2.amzn2.0.4.i686 \n \n noarch: \n bind-license-9.11.4-9.P2.amzn2.0.4.noarch \n \n src: \n bind-9.11.4-9.P2.amzn2.0.4.src \n \n x86_64: \n bind-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-pkcs11-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-pkcs11-utils-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-pkcs11-libs-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-pkcs11-devel-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-sdb-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-libs-lite-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-libs-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-utils-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-devel-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-lite-devel-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-chroot-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-sdb-chroot-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-export-libs-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-export-devel-9.11.4-9.P2.amzn2.0.4.x86_64 \n bind-debuginfo-9.11.4-9.P2.amzn2.0.4.x86_64 \n \n \n", "edition": 1, "modified": "2020-06-26T22:51:00", "published": "2020-06-26T22:51:00", "id": "ALAS2-2020-1441", "href": "https://alas.aws.amazon.com/AL2/ALAS-2020-1441.html", "title": "Medium: bind", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2020-09-27T00:57:20", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6477", "CVE-2020-8616", "CVE-2020-8617"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4689-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 19, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : bind9\nCVE ID : CVE-2019-6477 CVE-2020-8616 CVE-2020-8617\nDebian Bug : 945171\n\nSeveral vulnerabilities were discovered in BIND, a DNS server\nimplementation.\n\nCVE-2019-6477\n\n It was discovered that TCP-pipelined queries can bypass tcp-client\n limits resulting in denial of service.\n\nCVE-2020-8616\n\n It was discovered that BIND does not sufficiently limit the number\n of fetches performed when processing referrals. An attacker can take\n advantage of this flaw to cause a denial of service (performance\n degradation) or use the recursing server in a reflection attack with\n a high amplification factor.\n\nCVE-2020-8617\n\n It was discovered that a logic error in the code which checks TSIG\n validity can be used to trigger an assertion failure, resulting in\n denial of service.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 1:9.10.3.dfsg.P4-12.3+deb9u6.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 1:9.11.5.P4+dfsg-5.1+deb10u1.\n\nWe recommend that you upgrade your bind9 packages.\n\nFor the detailed security status of bind9 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/bind9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 12, "modified": "2020-05-19T19:48:33", "published": "2020-05-19T19:48:33", "id": "DEBIAN:DSA-4689-1:B775F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00093.html", "title": "[SECURITY] [DSA 4689-1] bind9 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2020-10-20T03:01:24", "bulletinFamily": "unix", "cvelist": ["CVE-2018-5741", "CVE-2020-8618", "CVE-2019-6477", "CVE-2020-8616", "CVE-2020-8617", "CVE-2020-8624", "CVE-2020-8621", "CVE-2020-8620", "CVE-2017-3136", "CVE-2020-8622", "CVE-2020-8619", "CVE-2020-8623"], "description": "This update for bind fixes the following issues:\n\n BIND was upgraded to version 9.16.6:\n\n Note:\n\n - bind is now more strict in regards to DNSSEC. If queries are not\n working, check for DNSSEC issues. For instance, if bind is used in a\n namserver forwarder chain, the forwarding DNS servers must support\n DNSSEC.\n\n Fixing security issues:\n\n - CVE-2020-8616: Further limit the number of queries that can be triggered\n from a request. Root and TLD servers are no longer exempt from\n max-recursion-queries. Fetches for missing name server. (bsc#1171740)\n Address records are limited to 4 for any domain.\n - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could\n trigger an assertion failure. (bsc#1171740)\n - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass\n the tcp-clients limit (bsc#1157051).\n - CVE-2018-5741: Fixed the documentation (bsc#1109160).\n - CVE-2020-8618: It was possible to trigger an INSIST when determining\n whether a record would fit into a TCP message buffer (bsc#1172958).\n - CVE-2020-8619: It was possible to trigger an INSIST in\n lib/dns/rbtdb.c:new_reference() with a particular zone content and query\n patterns (bsc#1172958).\n - CVE-2020-8624: &quot;update-policy&quot; rules of type &quot;subdomain&quot; were\n incorrectly treated as &quot;zonesub&quot; rules, which allowed keys used in\n &quot;subdomain&quot; rules to update names outside\n of the specified subdomains. The problem was fixed by making sure\n &quot;subdomain&quot; rules are again processed as described in the ARM\n (bsc#1175443).\n - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it\n was possible to trigger an assertion failure in code determining the\n number of bits in the PKCS#11 RSA public key with a specially crafted\n packet (bsc#1175443).\n - CVE-2020-8621: named could crash in certain query resolution scenarios\n where QNAME minimization and forwarding were both enabled (bsc#1175443).\n - CVE-2020-8620: It was possible to trigger an assertion failure by\n sending a specially crafted large TCP DNS message (bsc#1175443).\n - CVE-2020-8622: It was possible to trigger an assertion failure when\n verifying the response to a TSIG-signed request (bsc#1175443).\n\n Other issues fixed:\n\n - Add engine support to OpenSSL EdDSA implementation.\n - Add engine support to OpenSSL ECDSA implementation.\n - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.\n - Warn about AXFR streams with inconsistent message IDs.\n - Make ISC rwlock implementation the default again.\n - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)\n - Installed the default files in /var/lib/named and created chroot\n environment on systems using transactional-updates (bsc#1100369,\n fate#325524)\n - Fixed an issue where bind was not working in FIPS mode (bsc#906079).\n - Fixed dependency issues (bsc#1118367 and bsc#1118368).\n - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).\n - Fixed an issue with FIPS (bsc#1128220).\n - The liblwres library is discontinued upstream and is no longer included.\n - Added service dependency on NTP to make sure the clock is accurate when\n bind is starts (bsc#1170667, bsc#1170713).\n - Reject DS records at the zone apex when loading master files. Log but\n otherwise ignore attempts to add DS records at the zone apex via UPDATE.\n - The default value of &quot;max-stale-ttl&quot; has been changed from 1 week to 12\n hours.\n - Zone timers are now exported via statistics channel.\n - The &quot;primary&quot; and &quot;secondary&quot; keywords, when used as parameters for\n &quot;check-names&quot;, were not processed correctly and were being ignored.\n - 'rndc dnstap -roll &lt;value&gt;' did not limit the number of saved files to\n &lt;value&gt;.\n - Add 'rndc dnssec -status' command.\n - Addressed a couple of situations where named could crash.\n - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that\n named, being a/the only member of the &quot;named&quot; group has full r/w access\n yet cannot change directories owned by root in the case of a compromized\n named. [bsc#1173307, bind-chrootenv.conf]\n - Added &quot;/etc/bind.keys&quot; to NAMED_CONF_INCLUDE_FILES in\n /etc/sysconfig/named to suppress warning message re missing file\n (bsc#1173983).\n - Removed &quot;-r /dev/urandom&quot; from all invocations of rndc-confgen\n (init/named system/lwresd.init system/named.init in vendor-files) as\n this option is deprecated and causes rndc-confgen to fail. (bsc#1173311,\n bsc#1176674, bsc#1170713)\n - /usr/bin/genDDNSkey: Removing the use of the -r option in the call\n of /usr/sbin/dnssec-keygen as BIND now uses the random number functions\n provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as\n a source of randomness rather than /dev/random. Therefore the -r\n command line option no longer has any effect on dnssec-keygen. Leaving\n the option in genDDNSkey as to not break compatibility. Patch provided\n by Stefan Eisenwiener. [bsc#1171313]\n - Put libns into a separate subpackage to avoid file conflicts in the\n libisc subpackage due to different sonums (bsc#1176092).\n - Require /sbin/start_daemon: both init scripts, the one used in systemd\n context as well as legacy sysv, make use of start_daemon.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2020-10-20T00:14:39", "published": "2020-10-20T00:14:39", "id": "OPENSUSE-SU-2020:1699-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html", "title": "Security update for bind (moderate)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-10-20T15:01:26", "bulletinFamily": "unix", "cvelist": ["CVE-2018-5741", "CVE-2020-8618", "CVE-2019-6477", "CVE-2020-8616", "CVE-2020-8617", "CVE-2020-8624", "CVE-2020-8621", "CVE-2020-8620", "CVE-2017-3136", "CVE-2020-8622", "CVE-2020-8619", "CVE-2020-8623"], "description": "This update for bind fixes the following issues:\n\n BIND was upgraded to version 9.16.6:\n\n Note:\n\n - bind is now more strict in regards to DNSSEC. If queries are not\n working, check for DNSSEC issues. For instance, if bind is used in a\n namserver forwarder chain, the forwarding DNS servers must support\n DNSSEC.\n\n Fixing security issues:\n\n - CVE-2020-8616: Further limit the number of queries that can be triggered\n from a request. Root and TLD servers are no longer exempt from\n max-recursion-queries. Fetches for missing name server. (bsc#1171740)\n Address records are limited to 4 for any domain.\n - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could\n trigger an assertion failure. (bsc#1171740)\n - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass\n the tcp-clients limit (bsc#1157051).\n - CVE-2018-5741: Fixed the documentation (bsc#1109160).\n - CVE-2020-8618: It was possible to trigger an INSIST when determining\n whether a record would fit into a TCP message buffer (bsc#1172958).\n - CVE-2020-8619: It was possible to trigger an INSIST in\n lib/dns/rbtdb.c:new_reference() with a particular zone content and query\n patterns (bsc#1172958).\n - CVE-2020-8624: &quot;update-policy&quot; rules of type &quot;subdomain&quot; were\n incorrectly treated as &quot;zonesub&quot; rules, which allowed keys used in\n &quot;subdomain&quot; rules to update names outside\n of the specified subdomains. The problem was fixed by making sure\n &quot;subdomain&quot; rules are again processed as described in the ARM\n (bsc#1175443).\n - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it\n was possible to trigger an assertion failure in code determining the\n number of bits in the PKCS#11 RSA public key with a specially crafted\n packet (bsc#1175443).\n - CVE-2020-8621: named could crash in certain query resolution scenarios\n where QNAME minimization and forwarding were both enabled (bsc#1175443).\n - CVE-2020-8620: It was possible to trigger an assertion failure by\n sending a specially crafted large TCP DNS message (bsc#1175443).\n - CVE-2020-8622: It was possible to trigger an assertion failure when\n verifying the response to a TSIG-signed request (bsc#1175443).\n\n Other issues fixed:\n\n - Add engine support to OpenSSL EdDSA implementation.\n - Add engine support to OpenSSL ECDSA implementation.\n - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.\n - Warn about AXFR streams with inconsistent message IDs.\n - Make ISC rwlock implementation the default again.\n - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)\n - Installed the default files in /var/lib/named and created chroot\n environment on systems using transactional-updates (bsc#1100369,\n fate#325524)\n - Fixed an issue where bind was not working in FIPS mode (bsc#906079).\n - Fixed dependency issues (bsc#1118367 and bsc#1118368).\n - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).\n - Fixed an issue with FIPS (bsc#1128220).\n - The liblwres library is discontinued upstream and is no longer included.\n - Added service dependency on NTP to make sure the clock is accurate when\n bind is starts (bsc#1170667, bsc#1170713).\n - Reject DS records at the zone apex when loading master files. Log but\n otherwise ignore attempts to add DS records at the zone apex via UPDATE.\n - The default value of &quot;max-stale-ttl&quot; has been changed from 1 week to 12\n hours.\n - Zone timers are now exported via statistics channel.\n - The &quot;primary&quot; and &quot;secondary&quot; keywords, when used as parameters for\n &quot;check-names&quot;, were not processed correctly and were being ignored.\n - 'rndc dnstap -roll &lt;value&gt;' did not limit the number of saved files to\n &lt;value&gt;.\n - Add 'rndc dnssec -status' command.\n - Addressed a couple of situations where named could crash.\n - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that\n named, being a/the only member of the &quot;named&quot; group has full r/w access\n yet cannot change directories owned by root in the case of a compromized\n named. [bsc#1173307, bind-chrootenv.conf]\n - Added &quot;/etc/bind.keys&quot; to NAMED_CONF_INCLUDE_FILES in\n /etc/sysconfig/named to suppress warning message re missing file\n (bsc#1173983).\n - Removed &quot;-r /dev/urandom&quot; from all invocations of rndc-confgen\n (init/named system/lwresd.init system/named.init in vendor-files) as\n this option is deprecated and causes rndc-confgen to fail. (bsc#1173311,\n bsc#1176674, bsc#1170713)\n - /usr/bin/genDDNSkey: Removing the use of the -r option in the call\n of /usr/sbin/dnssec-keygen as BIND now uses the random number functions\n provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as\n a source of randomness rather than /dev/random. Therefore the -r\n command line option no longer has any effect on dnssec-keygen. Leaving\n the option in genDDNSkey as to not break compatibility. Patch provided\n by Stefan Eisenwiener. [bsc#1171313]\n - Put libns into a separate subpackage to avoid file conflicts in the\n libisc subpackage due to different sonums (bsc#1176092).\n - Require /sbin/start_daemon: both init scripts, the one used in systemd\n context as well as legacy sysv, make use of start_daemon.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2020-10-20T12:16:36", "published": "2020-10-20T12:16:36", "id": "OPENSUSE-SU-2020:1701-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html", "title": "Security update for bind (moderate)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}