Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20180920115228.GB31416@stiletto.tun>
Date: Thu, 20 Sep 2018 12:52:28 +0100
From: scrumpyjack@...ilet.to
To: oss-security@...ts.openwall.com
Subject: CVE-2018-5740 BIND (named vuln) and bad OVAL dict file maintenance

hi there, and apologies if this isn't the correct place to turn to, but 
the OVAL boards have been inactive since 2015 and perhaps the people who 
maintain these files lurk here and will notice.

In short:

CVE-2018-5740 Applies to named, when running, with a specific option set 
[1]

The OVAL [2] dictionaries (which are consumed by vulnerability scanners) 
for RedHat (and derivatives) [3],[4] lists the following packages as 
affected

bind
bind-chroot
bind-devel
bind-libs
bind-libs-lite
bind-license
bind-lite-devel
bind-pkcs11
bind-pkcs11-devel
bind-pkcs11-libs
bind-pkcs11-utils
bind-sdb
bind-sdb-chroot
bind-utils

named is only contained in the bind package, and this list is causing no 
end of problems on hosts that, for example, only want bind-utils and 
dependencies (of which bind -containing named- is not).

Could whoever maintains these take a look?

thank you for you time

[1] https://kb.isc.org/docs/aa-01639
[2] https://oval.mitre.org
[3] https://www.redhat.com/security/data/oval/
[4] https://linux.oracle.com/security/oval/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.