Date: Wed, 19 Dec 2018 11:14:18 -0500 From: ISC Security Officer <security-officer@....org> To: oss-security@...ts.openwall.com Cc: "security-officer@....org" <security-officer@....org> Subject: Additional context information about RedHat's announcement of CVE-2018-5742 Hello -- Internet Systems Consortium would like to provide packagers and redistributors of our software some additional context concerning CVE-2018-5742, which was announced yesterday by RedHat, affecting some BIND packages in RedHat and CentOS. Their disclosure of the issue can be found via this page: https://access.redhat.com/security/cve/cve-2018-5742 and more information can be found in their respective bug trackers: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-5742 https://bugs.centos.org/view.php?id=15528 The RedHat announcement is understandably focused mostly on the impact to customers using their packages, but because some of the other subscribers to this list distribute their own packages that are based on BIND we thought it might be helpful to provide some additional information about this CVE. 1) The issue does not exist in any of the BIND source packages provided directly by ISC. 2) We have worked with RedHat to determine the root cause of CVE-2018-5742 and have concluded that it was introduced accidentally while backporting the Negative Trust Anchor (NTA) feature to a branch of BIND prior to when it was introduced in the upstream (ISC) version. We would therefore advise any other packagers who have backported NTA to the BIND 9.9 or 9.10 codebase that they might want to investigate to see whether they have similarly introduced a vulnerability in their code. If you find that you have done so, please contact security-officer@....org, as ISC are the CVE Numbering Authority for BIND and we will need to be included in the discussion as to whether any such vulnerabilities fall under CVE-2018-5742 or require a separate CVE ID assignment. If you are distributing BIND packages and have further questions we will do our best to answer them. Michael McNally (as ISC Security Officer)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.