IBM Information for VU#198355

ISC BIND 8.2.2-P6 vulnerable to DoS when processing SRV records, aka the "srv bug"

Status

Affected

Vendor Statement

IBM has reported to the CERT/CC that AIX is vulnerable to the bugs described in this document. IBM initially released an e-patch in APAR IY14512.

IBM has posted an e-fix for the BIND denial-of-service vulnerabilities to ftp.software.ibm.com/aix/efixes/security. See the README file in this ftp directory for additional information.

Also, IBM has posted an e-fix to this same site that contains libc.a library that incorporates a fix to the BIND vulnerabilities and the recent locale subsystem format string vulnerability discovered by Ivan Arce of CORE, and discussed on Bugtraq. The e-fix for BIND must be downloaded and installed before implementing this e-fix. See the same README file for details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.