Vulnerability Issue:
A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remote attacker could use this flaw to make named (functioning as an authoritative DNS server or a DNS resolver) exit unexpectedly with an assertion failure via a specially crafted DNS request packet.
Resolution:
The only solution is to apply the patch to fix CVE-2015-5477. All major Linux vendors have already released patches for this.
Fix in RedHat (5, 6, & 7) and CentOS (5 & 7) Servers
• Red Hat Enterprise Linux 7 (bind) – bind-9.9.4-18.el7_1.3
• Red Hat Enterprise Linux 6 (bind) – bind-9.8.2-0.37.rc1.el6_7.2
• Red Hat Enterprise Linux 5 (bind) – bind-9.3.6-25.P1.el5_11.3
• Red Hat Enterprise Linux 5 (bind97) – bind97-9.7.0-21.P2.el5_11.2
Run the command:
# yum update bind
Fix in CentOS (6) Servers
For CentOS 6, you will need to enable Continuous Release (CR) Repository to get this patch. Here’s how you can install, enable the CR repo, and update BIND.
# yum install centos-release-cr
# yum-config-manager –enable cr
# yum update bind
Once this is done, you can disable the CR repo by:
# yum-config-manager –disable cr
Fix in Debian and Ubuntu servers
Ubuntu 12.04 LTS 1:9.9.5.dfsg-9ubuntu0.2
Ubuntu 14.04 LTS 1:9.9.5.dfsg-3ubuntu0.4
Ubuntu 15.04 LTS 1:9.8.1.dfsg.P1-4ubuntu0.12
Debian jessie 1:9.9.5.dfsg-9+deb8u2
Debian squeeze 1:9.7.3.dfsg-1~squeeze16
Debian wheezy 1:9.8.4.dfsg.P1-6+nmu2+deb7u6
Run the command:
# apt-get install bind9