Candidate: CVE-2018-5741
PublicDate: 2019-01-16 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741
 https://kb.isc.org/docs/cve-2018-5741
Description:
 To provide fine-grained controls over the ability to use Dynamic DNS (DDNS)
 to update records in a zone, BIND 9 provides a feature called
 update-policy. Various rules can be configured to limit the types of
 updates that can be performed by a client, depending on the key used when
 sending the update request. Unfortunately, some rule types were not
 initially documented, and when documentation for them was added to the
 Administrator Reference Manual (ARM) in change #3112, the language that was
 added to the ARM at that time incorrectly described the behavior of two
 rule types, krb5-subdomain and ms-subdomain. This incorrect documentation
 could mislead operators into believing that policies they had configured
 were more restrictive than they actually were. This affects BIND versions
 prior to BIND 9.11.5 and BIND 9.12.3.
Ubuntu-Description:
Notes:
 mdeslaur> per the ISC advisory: "At the present time, ISC is not providing
 mdeslaur> any code changing the behavior of the update-policy feature."
 mdeslaur> deferring for now to see if the policy will change
 mdeslaur>
 mdeslaur> documentation changes went into 9.11.5
 mdeslaur>
 mdeslaur> we will not be changing the documentation in our stable releases
Bugs:
Priority: negligible
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_bind9:
upstream_bind9: released (9.11.5)
precise/esm_bind9: ignored
trusty_bind9: ignored
trusty/esm_bind9: ignored
xenial_bind9: ignored
esm-infra/xenial_bind9: ignored
bionic_bind9: ignored
cosmic_bind9: ignored
disco_bind9: released (1:9.11.5.P1+dfsg-1ubuntu2)
devel_bind9: released (1:9.11.5.P1+dfsg-1ubuntu2)