Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Aug 2015 14:32:41 +0200
From: Florian Weimer <fweimer@...hat.com>
To: ISC Security Officer <security-officer@....org>,
        Assign a CVE Identifier <cve-assign@...re.org>
Cc: oss-security@...ts.openwall.com
Subject: Is CVE-2015-4650 a duplicate, leak, or just a typo?

Some documents use CVE-2015-4650 to refer to a vulnerability in BIND.
Apparently, they source back to

<https://www.alienvault.com/forums/discussion/5706/security-advisory-alienvault-v5-1-addresses-6-vulnerabilities>

which says:

“
Debian Security Update
AlienVault ID: ENG-101265
Description: name.c in named in ISC BIND 9.7.x through 9.9.x before
9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive
resolver with DNSSEC validation, allows remote attackers to cause a
denial of service (REQUIRE assertion failure and daemon exit) by
constructing crafted zone data and then making a query for a name in
that zone.
CVE ID: CVE-2015-4650
CVSS v2 Base Score: 7.8
CVSS v2 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:N)
”

That description seems to match CVE-2015-4620, so I'm leaning towards typo:

<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4620>

I don't know how this came into being.  Debian does not appear
responsible, the immutable list archives use the correct ID:

<https://lists.debian.org/debian-lts-announce/2015/07/msg00008.html>
<https://lists.debian.org/debian-security-announce/2015/msg00200.html>

Comments appreciated.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ