14 DAY TRIAL // On July 28, Canonical, through Marc Deslauriers, published details about the availability of a new important update for the BIND packages in the Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS operating systems.
The Ubuntu Security Notice USN-2693-1 document describes two security vulnerabilities discovered by various developers in the upstream BIND software, the world's most popular open-source Domain Name System (DNS) software on the Internet. The latest version of the BIND software can always be downloaded from our website.
"A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS," says Marc Deslauriers. "Bind could be made to crash if it received specially crafted network traffic. The problem can be corrected by updating your system to the following package versions."
The first security flaw was discovered by Jonathan Foote in the handling of various TKEY (transaction key) queries, as BIND incorrectly handled them, allowing a remote attacker to crash BIND or cause a denial of service by using a specially crafted packet. The vulnerability is described in detail at CVE-2015-5477.
The second security flaw was discovered by Pories Ediansyah in the handling of configurations involving DNS64, as BIND incorrectly handled them, allowing a remote attacker to crash BIND or cause a denial of service by using a specially crafted query. The vulnerability is described in detail at CVE-2012-5689 and affects only Ubuntu 12.04 LTS.
Please update your BIND packages as soon as possible
All users of the Ubuntu 15.04 (Vivid Vervet), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin) are urged by Canonical to update their BIND packages to version 9.9.5.dfsg-9ubuntu0.2 for Ubuntu 15.04, version 9.9.5.dfsg-3ubuntu0.4 for Ubuntu 14.04 LTS, and version 9.8.1.dfsg.P1-4ubuntu0.12 for Ubuntu 12.04 LTS.