Yay, another security vulnerability in old software, this time in many versions of BIND.
- CVE-2015-4620: …when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit)
- CVE-2015-5477: …allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.
The easiest way to patch Mandriva 2010.2 seemed to be to build the closest supported version of BIND: 9.9.7 P2 (Mandriva 2010.2 eventually updated to BIND 9.7.6). I took the 9.7.6 source RPM and updated it to 9.9.7 P2, keeping around as many of the patches as I could, and updating them from Mageia as necessary. It seems to work for me, but no guarantees.
Leave a Reply