CVE-2018-5735

NameCVE-2018-5735
DescriptionThe Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other distributions who did similar backports for the fix for 2017-3137 may also be affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1285-1
NVD severitymedium
Debian Bugs889285

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)jessie1:9.9.5.dfsg-9+deb8u15fixed
jessie (security)1:9.9.5.dfsg-9+deb8u18fixed
stretch (security), stretch1:9.10.3.dfsg.P4-12.3+deb9u5fixed
bullseye, sid, buster1:9.11.5.P4+dfsg-5.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9source(unstable)1:9.9.3.dfsg.P2-1889285
bind9sourcewheezy1:9.8.4.dfsg.P1-6+nmu2+deb7u20DLA-1285-1

Notes

Issue similar/closely related to the CVE-2017-3139 issue in Red Hat.
Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was
added upstream in 9.9.3b1. The issue though does not affect bind9 upstream
and is only triggered as described in #889285.

Search for package or bug name: Reporting problems