47 replies to this topic

[AplusWebMaster]

FYI...

CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c
- https://kb.isc.org/article/AA-01291/0
Last Updated: 2015-09-02
CVE: CVE-2015-5986
Document Version: 2.0
Program Impacted: BIND
Versions affected: 9.9.7 -> 9.9.7-P2, 9.10.2 -> 9.10.2-P3.
Severity: Critical
Exploitable: Remotely
Description: An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure.  This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query.
Impact: A server which encounters this error will terminate due to a REQUIRE assertion failure, resulting in denial of service to clients. Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server. Servers should be upgraded to a fixed version.
Workarounds: No workarounds are known to exist.
Active exploits: None known.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.
    BIND 9 version 9.9.7-P3
    BIND 9 version 9.10.2-P4 ...

CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
- https://kb.isc.org/article/AA-01287/0
Last Updated: 2015-09-02
CVE: CVE-2015-5722
Document Version: 2.0
Program Impacted: BIND
Versions affected: BIND 9.0.0 -> 9.8.8,  BIND 9.9.0 -> 9.9.7-P2, BIND 9.10.0 -> 9.10.2-P3
Severity: Critical
Exploitable: Remotely
Description: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c.  It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.
Impact: Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service. Servers which are affected may terminate with an assertion failure, causing denial of service to all clients.
Workarounds: Servers which are not performing validation are not at risk from this defect (but are at increased risk from other types of DNS attack.)  ISC does not recommend disabling validation to deal with this issue; upgrading to a fixed version is the preferred solution.
Active exploits: None known
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.
    BIND 9 version 9.9.7-P3
    BIND 9 version 9.10.2-P4 ...
___

- http://www.securityt....com/id/1033452
CVE Reference: CVE-2015-5722
Sep 2 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.0 - 9.8.8, 9.9.0 - 9.9.7-P2, 9.10.0 - 9.10.2-P3
Description: A vulnerability was reported in BIND. A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.7-P3, 9.10.2-P4, 9.9.8rc1, 9.10.3rc1)...

- http://www.securityt....com/id/1033453
CVE Reference: CVE-2015-5986
Sep 2 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.9.7 - 9.9.7-P2, 9.10.2 - 9.10.2-P3
Description: A vulnerability was reported in BIND. A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.7-P3, 9.10.2-P4, 9.9.8rc1, 9.10.3rc1)...
 

Edited by AplusWebMaster, 03 September 2015 - 06:33 AM.

[AplusWebMaster]

FYI...

BIND 9.9.8-S1 Release Notes
- https://kb.isc.org/article/AA-01307
2015-09-16
Security Fixes:
• An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
• A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
• A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]
• On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]
New Features...
Feature Changes...
Bug Fixes...
___

BIND 9.10.3 Release Notes
- https://kb.isc.org/article/AA-01306
2015-09-16
Security Fixes:
• An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
• A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
• A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]
• On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server...
New Features...
Feature Changes...
Bug Fixes...

Downloads: https://www.isc.org/downloads/

Support Policy: https://www.isc.org/...support-policy/
 

[AplusWebMaster]

FYI...

BIND9: Responses with a malformed class attribute can trigger an assertion failure
- https://kb.isc.org/article/AA-01317
15 Dec 2015
CVE: CVE-2015-8000
9.0.x -> 9.9.8, 9.10.0 -> 9.10.3
Severity: Critical
Exploitable: Remotely
Solution: Upgrade to the patched release most closely related to your current version of BIND. Public open-source branches can be downloaded from
> http://www.isc.org/downloads
    BIND 9 version 9.9.8-P2
    BIND 9 version 9.10.3-P2
BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to ISC Support customers.
    BIND 9 version 9.9.8-S3 ...
Download: https://www.isc.org/downloads/
- http://www.securityt....com/id/1034418
CVE Reference: CVE-2015-8000
Dec 15 2015
Impact:  Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.9.8, 9.10.0 - 9.10.3
Servers that perform recursive queries are affected.
Impact: A remote user can cause the target named service to crash.
Solution: The vendor has issued a fix (9.9.8-P2, 9.10.3-P2)...
___

BIND9: A race condition when handling socket errors can lead to an assertion failure in resolver.c
- https://kb.isc.org/article/AA-01319
15 Dec 2015
CVE: CVE-2015-8461
Program Impacted: BIND
Versions affected: 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 -> 9.10.3-P1
Solution: Upgrade to the patched release most closely related to your current version of BIND. Public open-source branches can be downloaded from
> http://www.isc.org/downloads
    BIND 9 version 9.9.8-P2
    BIND 9 version 9.10.3-P2 ...
Download: https://www.isc.org/downloads/
- http://www.securityt....com/id/1034419
CVE Reference: CVE-2015-8461
Dec 15 2015
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.9.8 - 9.9.8-P1, 9.9.8-S1 - 9.9.8-S2, 9.10.3 - 9.10.3-P1
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.8-P2, 9.10.3-P2)...
___

- https://www.us-cert....ty-Updates-BIND
15 Dec 2015
 

Edited by AplusWebMaster, 15 December 2015 - 07:46 PM.

[AplusWebMaster]

FYI...

ISC DHCP v4.1-ESV-R12-P1, v4.3.3-P1 released
- https://kb.isc.org/article/AA-01334
2016-01-12
CVE-2015-8605: UDP payload length not properly checked
Program Impacted: DHCP
Versions affected: 4.0.x, 4.1.x, 4.2.x, 4.1-ESV -> 4.1-ESV-R12, 4.3.0->4.3.3.  3.x may also be affected but has not been tested.
Severity: Medium
Exploitable: From adjacent networks
Description: A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.
Impact: Nearly all IPv4 DHCP clients and relays, and most IPv4 DHCP servers are potentially affected...
Solution:  Upgrade to the patched release most closely related to your current version of DHCP. These can all be downloaded from
- http://www.isc.org/downloads.
    DHCP version 4.1-ESV-R12-P1
    DHCP version 4.3.3-P1
- https://cve.mitre.or...e=CVE-2015-8605

- https://www.us-cert....ecurity-Updates
Jan 12, 2016
___

- http://www.securityt....com/id/1034657
CVE Reference: CVE-2015-8605
Jan 13 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.x, 4.1.x, 4.2.x, 4.1-ESV - 4.1-ESV-R12, 4.3.0 - 4.3.3
Impact: A remote user on the local network can cause the target client, relay, or server to crash.
Solution: The vendor has issued a fix (4.1-ESV-R12-P1, 4.3.3-P1)...
 

[AplusWebMaster]

FYI...

ISC BIND updates

Specific APL data could trigger an INSIST in apl_42.c
- https://kb.isc.org/article/AA-01335
2016-01-19
CVE-2015-8704
Program Impacted: BIND
Versions affected: 9.3.0->9.8.8, 9.9.0->9.9.8-P2, 9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2
Severity: High
Exploitable: Remotely
Description: A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c.
Impact: A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations.  Examples include (but may not be limited to):
- Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master.
- Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message.
- Recursive resolvers are potentially vulnerable when debug logging, if they are fed a deliberately malformed record by a malicious server.
- A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'.
Please Note: Versions of BIND from 9.3 through 9.8 are also affected, but these branches are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC. For current information on which versions are actively supported, please see
- http://www.isc.org/downloads/
CVSS Score: 6.8
___

Problems converting OPT resource records and ECS options to text format can cause BIND to terminate
- https://kb.isc.org/article/AA-01336
2016-01-19
BIND
Versions affected: 9.10.0->9.10.3-P2
Severity: Medium
Exploitable: Remotely
Description: In versions of BIND 9.10, errors can occur when OPT pseudo-RR data or ECS options are formatted to text. In 9.10.3 through 9.10.3-P2, the issue may result in a REQUIRE assertion failure in buffer.c. In prior 9.10 versions, it may result in named crashing (such as with a segmentation fault) or other misbehavior due to a buffer overrun.
Impact: This issue can affect both authoritative and recursive servers if they are performing debug logging. (It may also crash related tools which use the same code, such as dig or delv.)
Workarounds: CVE-2015-8705 can be avoided in named by disabling debug logging.
Active exploits: No known active exploits.
Solution:  Upgrade to the patched release most closely related to your current version of BIND.  
This can be downloaded from
- http://www.isc.org/downloads.
BIND 9 version 9.10.3-P3
CVSS Score: 5.4
___

- https://www.us-cert....ty-Updates-BIND
Jan 19, 2016

- http://www.securityt....com/id/1034740
CVE Reference: CVE-2015-8705
Jan 20 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.10.0 - 9.10.3-P2 ...
Impact: A remote user can cause the target 'named' service to crash.
Solution: The vendor has issued a fix (9.10.3-P3)...
 

Edited by AplusWebMaster, 05 February 2016 - 08:06 AM.

[AplusWebMaster]

FYI...

DHCP inter-server communications and control channels can exhaust server resources
- https://kb.isc.org/article/AA-01354
Last Updated: 2016-03-08
CVE: CVE-2016-2774
Program Impacted: ISC DHCP
Versions affected: 4.1.0->4.1-ESV-R12-P1, 4.2.0->4.2.8, 4.3.0->4.3.3-P1.  Older versions may also be affected but are well beyond their end-of-life (EOL).  Releases prior to 4.1.0 have not been tested.
Severity: Medium
Exploitable: Remotely, if remote network connections to the DHCP server's control ports (e.g. OMAPI and failover) are permitted.
Description: In many cases, the ISC DHCP server does not effectively limit the number of simultaneous open TCP connections to the ports the server uses for inter-process communications and control.  Because of this, a malicious party could interfere with server operation by opening (and never closing) a large number of TCP connections to the server...
Solution: Mitigation code which will make this vulnerability harder to exploit will be added to the upcoming DHCP maintenance releases (DHCP 4.1-ESV-R13, DHCP 4.3.4, due to be released in March 2016.)
However, the strategies described in the "Workarounds" section of this document are effective and can prevent exploitation of the vulnerability.  Unless server operators have identified operational needs unique to their environment which conflict with this advice, ISC recommends blocking incoming TCP connections from untrusted hosts as a preferred strategy...
- http://www.securityt....com/id/1035196
CVE Reference: CVE-2016-2774
Mar 8 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.1.0 - 4.1-ESV-R12-P1, 4.2.0 - 4.2.8, 4.3.0 - 4.3.3-P1 ...
Impact: A remote user on the local network can cause the target DHCP service to become unresponsive or fail.
Solution: The vendor has issued a fix (4.1-ESV-R13, 4.3.4)...

- https://www.us-cert....tes-DHCP-Server
Mar 07, 2016
 

[AplusWebMaster]

FYI...

ISC BIND 9.10.3-P4, 9.9.8-P4, 9.9.8-S6 released

- https://kb.isc.org/article/AA-01351
9 March 2016
Versions affected: 9.10.0 -> 9.10.3-P3
Severity: High
Exploitable: Remotely ...
Active exploits: No known active exploits.
Solution: Re-configure and re-build BIND without enabling cookie support or upgrade to the patched release most closely related to your current version of BIND. BIND 9 version 9.10.3-P4
... please see:
- http://www.isc.org/downloads/

- https://kb.isc.org/article/AA-01352
9 March 2016
Versions affected: 9.2.0 -> 9.8.8, 9.9.0->9.9.8-P3, 9.9.3-S1->9.9.8-S5, 9.10.0->9.10.3-P3
Severity: High
Active exploits: No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND.
    BIND 9 version 9.9.8-P4
    BIND 9 version 9.10.3-P4
BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to eligible ISC Support customers.
    BIND 9 version 9.9.8-S6
... please see:
- http://www.isc.org/downloads/

- https://kb.isc.org/article/AA-01353
9 March 2016
Versions affected: 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5,  9.10.0 -> 9.10.3-P3
Severity: High
Solution: Upgrade to the patched release most closely related to your current version of BIND:
    BIND 9 version 9.9.8-P4
    BIND 9 version 9.10.3-P4
BIND 9 Supported Preview edition is a feature preview version of BIND provided exclusively to eligible ISC Support customers.
    BIND 9 version 9.9.8-S6
... please see:
- http://www.isc.org/downloads/
___

> http://www.securityt....com/id/1035236
Solution: The vendor has issued a fix (9.9.8-P4, 9.10.3-P4)...

> http://www.securityt....com/id/1035237
Solution: The vendor has issued a fix (9.9.8-P4, 9.10.3-P4)...

> http://www.securityt....com/id/1035238
Solution: The vendor has issued a fix (9.10.3-P4)...
___

- https://www.us-cert....ty-Updates-BIND
March 09, 2016
 

Edited by AplusWebMaster, 11 March 2016 - 09:04 AM.

[AplusWebMaster]

FYI...

BIND: CVE-2016-2775: A query name which is too long can cause a segmentation fault in lwresd
- https://kb.isc.org/a...4/CVE-2016-2775
Posting date: 18 July 2016
Program Impacted: BIND
Versions affected: 9.0.x -> 9.9.9-P1, 9.10.0->9.10.4-P1, 9.11.0a3->9.11.0b1
Severity: Medium
Exploitable: Remotely (if lwresd is configured to accept remote client connections)...
Impact: A server which is affected by this defect will terminate with a segmentation fault error, resulting in a denial of service to client programs attempting to resolve names.
CVSS Score: 5.4 if the server is configured to accept requests from the network...
Solution: Upgrade to the patched release most closely related to your current version of BIND.
These can be downloaded from:
> https://www.isc.org/downloads/

- http://www.securityt....com/id/1036360
CVE Reference: https://web.nvd.nist...d=CVE-2016-2775
Jul 19 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.9.9-P1, 9.10.0 - 9.10.4-P1, 9.11.0a3 - 9.11.0b1 ...
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P2, 9.10.4-P2)...
 

Edited by AplusWebMaster, 20 July 2016 - 07:15 AM.

[AplusWebMaster]

FYI...

BIND CVE-2016-2776: Assertion Failure in buffer.c While Building Responses...
- https://kb.isc.org/article/AA-01419/0
2016-09-27
Program Impacted: BIND
Versions affected: 9.0.x -> 9.8.x, 9.9.0->9.9.9-P2, 9.9.3-S1->9.9.9-S3, 9.10.0->9.10.4-P2, 9.11.0a1->9.11.0rc1
Severity: High
Exploitable: Remotely
Description: Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query').
Impact: All servers are vulnerable if they can receive request packets from any source.
CVSS Score: 7.8
Solution: Upgrade to the patched release most closely related to your current version of BIND.  These can all be downloaded from
- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P3
    BIND 9 version 9.10.4-P3
    BIND 9 version 9.11.0rc3 "
___

- http://www.securityt....com/id/1036903
CVE Reference: CVE-2016-2776
Sep 27 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.8.x, 9.9.0 - 9.9.9-P2, 9.9.3-S1 - 9.9.9-S3, 9.10.0 - 9.10.4-P2, 9.11.0a1 - 9.11.0rc1
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P3, 9.10.4-P3, 9.11.0rc3)...
___

- https://www.us-cert....ty-Updates-BIND
Sep 27, 2016
 

[AplusWebMaster]

FYI...

CVE-2016-2848: A packet with malformed options can trigger an assertion failure in ISC BIND ...
- https://kb.isc.org/article/AA-01433
2016-10-20
Program Impacted: BIND
Versions affected: 9.1.0 -> 9.8.4-P2, 9.9.0 -> 9.9.2-P2
Severity: High
Exploitable: Remotely
Description: A packet with a malformed options section can be used to deliberately trigger an assertion failure affecting versions of BIND which do not contain change #3548, which was first included in ISC BIND 9 releases in May 2013.  Current ISC versions of BIND are safe from this vulnerability, but repackaged versions distributed by other parties may be vulnerable if they were forked from ISC's source before change #3548.
Impact: A server vulnerable to this defect can be forced to exit with an assertion failure if it receives a malformed packet. Authoritative and recursive servers are both vulnerable...
Solution: The vulnerability described in this security advisory was corrected by bug fixes which occurred during the normal course of BIND development and release versions of BIND published by ISC have been safe against this vulnerability since May 2013. However, versions which were released prior to that date, including some versions which have been used as the basis for installable packages by operating system vendors who maintain their own BIND versions, may be vulnerable.
The CHANGES file distributed with every version of BIND source contains a chronological list of source code changes in each branch's history. Safe versions of BIND contain fix #3548. If you did not receive source code with your distribution of BIND and cannot check CHANGES, check with the package provider who has furnished the BIND distribution you are using.  
Current versions of BIND available from ISC are confirmed to be free of the vulnerability. These can all be downloaded from:

- https://www.isc.org/downloads/
    BIND 9 version 9.9.9-P3
    BIND 9 version 9.10.4-P3
    BIND 9 version 9.11.0 ...
___

- http://www.securityt....com/id/1037073
CVE Reference: CVE-2016-2848
Oct 20 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 9.1.0 - 9.8.4, 9.9.0 - 9.9.2; [versions released prior to May 2013] ...
Impact: A remote user can cause the target 'named' service to crash.
Solution: The vendor issued a fix (9.9.9-P3, 9.10.4-P3, 9.11.0) [in May 2013]...
___

- https://www.us-cert....curity-Advisory
Oct 20 2016
 

[AplusWebMaster]

FYI...

CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure
- https://kb.isc.org/article/AA-01434/0
1 Nov 2016
BIND
Versions affected: 9.0.x -> 9.8.x, 9.9.0 -> 9.9.9-P3, 9.9.3-S1 -> 9.9.9-S5, 9.10.0 -> 9.10.4-P3, 9.11.0
Severity: High
Exploitable: Remotely
Description: A defect in BIND's handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c
Impact: During processing of a recursive response that contains a DNAME record in the answer section, BIND can stop execution after encountering an assertion error in resolver.c (error message: "INSIST((valoptions & 0x0002U) != 0) failed") or db.c (error message: "REQUIRE(targetp != ((void *)0) && *targetp == ((void *)0)) failed").
A server encountering either of these error conditions will stop, resulting in denial of service to clients.  The risk to authoritative servers is minimal; recursive servers are chiefly at risk.
Solution:  Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P4
    BIND 9 version 9.10.4-P4
    BIND 9 version 9.11.0-P1 ...
___

- http://www.securityt....com/id/1037156
CVE Reference: CVE-2016-8864
Nov 1 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x - 9.8.x, 9.9.0 - 9.9.9-P3, 9.9.3-S1 - 9.9.9-S5, 9.10.0 - 9.10.4-P3, 9.11.0
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P4, 9.10.4-P4, 9.11.0-P1)...
___

- https://www.us-cert....ty-Updates-BIND
Nov 1 2016
 

[AplusWebMaster]

FYI...

BIND9 - Security Advisories

CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion
- https://kb.isc.org/article/AA-01439/0
2017-01-11
Versions affected:
9.4.0 -> 9.6-ESV-R11-W1, 9.8.5 -> 9.8.8, 9.9.3 -> 9.9.9-P4, 9.9.9-S1 -> 9.9.9-S6, 9.10.0 -> 9.10.4-P4, 9.11.0 -> 9.11.0-P1
Severity: High
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P5
    BIND 9 version 9.10.4-P5
    BIND 9 version 9.11.0-P2 ...
___

CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure
- https://kb.isc.org/article/AA-01440/0
2017-01-11
Versions affected:
9.9.9-P4, 9.9.9-S6, 9.10.4-P4, 9.11.0-P1
Severity: High
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P5
    BIND 9 version 9.10.4-P5
    BIND 9 version 9.11.0-P2 ...
___

CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure
- https://kb.isc.org/article/AA-01441/0
2017-01-11
Versions affected:
9.6-ESV-R9 -> 9.6-ESV-R11-W1, 9.8.5 -> 9.8.8, 9.9.3 -> 9.9.9-P4, 9.9.9-S1 -> 9.9.9-S6, 9.10.0 -> 9.10.4-P4, 9.11.0 -> 9.11.0-P1
Severity: High
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P5
    BIND 9 version 9.10.4-P5
    BIND 9 version 9.11.0-P2 ...
___

CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c
- https://kb.isc.org/article/AA-01442/0
2017-01-11
Versions affected:
9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0 -> P1
Severity: High (for affected configurations)
Exploitable: Remotely...
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.11.0-P2
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9.9.9-S7 ...
___

- http://www.securityt....com/id/1037582
CVE Reference: CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778
Jan 12 2017
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target 'named' service to stop processing.
Solution: The vendor has issued a fix (9.9.9-P5, 9.10.4-P5, 9.11.0-P2)...
___

- https://www.us-cert....ty-Updates-BIND
Jan 11, 2017
 

Edited by AplusWebMaster, 12 January 2017 - 05:24 AM.

[AplusWebMaster]

FYI...

BIND9 - CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash
- https://kb.isc.org/article/AA-01453
2017-02-08
Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read; in either case named will terminate.
CVE: CVE-2017-3135
Program Impacted: BIND
Versions affected:
9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1
Severity: High, for servers with specific configurations
Exploitable: Remotely, but only affecting servers with specific configurations
Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer...
Impact: Servers utilizing both DNS64 and RPZ are potentially susceptible to encountering this condition.  When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated.
Only servers which are configured to simultaneously use both Response Policy Zones (RPZ) and DNS64 (a method for synthesizing AAAA records from A records) can be affected by this vulnerability.
CVSS Score: 7.5 ...
Workarounds: While it is possible to avoid the condition by removing either DNS64 or RPZ from the configuration, or by carefully restricting the contents of the policy zone, for an affected configuration the most practical and safest course of action is to upgrade to a version of BIND without this vulnerability.
Active exploits: No known active exploits...
Solution:  Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads.
    BIND 9 version 9.9.9-P6
    BIND 9 version 9.10.4-P6
    BIND 9 version 9.11.0-P3
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9 version 9.9.9-S8 ...
___

- http://www.securityt....com/id/1037801
CVE Reference: CVE-2017-3135
Feb 9 2017
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P6, 9.10.4-P6, 9.11.0-P3)...
___

- https://www.us-cert....ty-Updates-BIND
Feb 8, 2017
 

Edited by AplusWebMaster, 09 February 2017 - 02:42 PM.

[AplusWebMaster]

FYI...

CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"
- https://kb.isc.org/a...4/CVE-2017-3136
12 April 2017
CVE-2017-3136
Program Impacted: BIND
Versions affected: 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8
Severity: Medium, but only a risk to systems with specific configurations
Exploitable: Remotely
Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.
An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.
Impact: Servers are at risk if they are configured to use DNS64 and if the option "break-dnssec yes;" is in use...
Workarounds: Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade.  Servers which are not using these features in conjunction are not at risk from this defect.
Active exploits: No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:

- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P8
    BIND 9 version 9.10.4-P8
    BIND 9 version 9.11.0-P5 ...
___

CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
- https://kb.isc.org/a...4/CVE-2017-3137
12 April 2017
CVE-2017-3137
Program Impacted: BIND
Versions affected: 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8
Severity: High
Exploitable: Remotely
Description: Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order.
Impact: A server which is performing recursion can be forced to exit with an assertion failure if it can be caused to receive a response containing CNAME or DNAME resource records with certain ordering.  An attacker can cause a denial of service by exploiting this condition. Recursive resolvers are at highest risk but authoritative servers are theoretically vulnerable if they perform recursion...
Workarounds: None known.
Active exploits: No known active exploits.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:

- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P8
    BIND 9 version 9.10.4-P8
    BIND 9 version 9.11.0-P5 ...
___

CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
- https://kb.isc.org/a...4/CVE-2017-3138
12 April 2017
CVE-2017-3138
Program Impacted: BIND
Versions affected: 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9
Severity: Medium
Exploitable: Remotely, from hosts that are within the ACL permitted access to the control channel
Description: named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.
A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.
Impact: The BIND control channel is not configured by default, but when configured will accept commands from those IP addresses that are specified in its access control list and/or from clients which present the proper transaction key.  Using this defect, an attacker can cause a running server to stop if they can get it to accept control channel input from them.  In most instances this is not as bad as it sounds, because existing commands permitted over the control channel (i.e. "rndc stop") can already be given to cause the server to stop.
However, BIND 9.11.0 introduced a new option to allow "read only" commands over the command channel.  Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. "rndc status") without affecting the operational state of the server. The defect described in this advisory, however, is not properly stopped by the "read only" restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of "read only" operations to cause the server to stop execution...
Workarounds: None.  However, in a properly configured server, access to the control channel should already be limited by either network ACLs, TSIG keys, or both.
Active exploits: No known active exploits
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:

- http://www.isc.org/downloads
    BIND 9 version 9.9.9-P8
    BIND 9 version 9.10.4-P8
    BIND 9 version 9.11.0-P5
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
    BIND 9 version 9.9.9-S10
New maintenance releases of BIND are also scheduled which contain the fix for this vulnerability.  In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions:
    BIND 9 version 9.9.10rc3
    BIND 9 version 9.10.5rc3
    BIND 9 version 9.11.1rc3 ...
___

- http://www.securityt....com/id/1038259
CVE Reference: CVE-2017-3136
Apr 13 2017
Impact: A remote user can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P8, 9.10.4-P8, 9.11.0-P5)...

- http://www.securityt....com/id/1038258
CVE Reference: CVE-2017-3137
Apr 13 2017
Impact: A remote user can cause the target 'named' service to crash.
Solution: The vendor has issued a fix (9.9.9-P8, 9.10.4-P8, 9.11.0-P5)...

- http://www.securityt....com/id/1038260
CVE Reference: CVE-2017-3138
Apr 13 2017
Impact: A remote user on a host authorized by ACL can cause the target service to crash.
Solution: The vendor has issued a fix (9.9.9-P8, 9.10.4-P8, 9.11.0-P5)...
___

- https://www.us-cert....ty-Updates-BIND
April 12, 2017
 

Edited by AplusWebMaster, 14 April 2017 - 05:02 AM.

[AplusWebMaster]

FYI...

CVE-2017-3141: Windows service and uninstall paths are not quoted when BIND is installed
- https://kb.isc.org/a...4/CVE-2017-3141
2017-06-14
CVE: CVE-2017-3141
Document Version: 2.0
Posting date: 14 Jun 2017
Program Impacted: BIND
Versions affected: 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, 9.10.5-S1
Severity: Critical
Exploitable: Locally
Description: The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file system permissions allow this.
Impact: This vulnerability exists in the installer delivered with BIND for Windows and not within BIND itself.  Non-Windows builds and installations are unaffected.  A manual installation of BIND where the service path is quoted when added would not be at risk...
Workarounds: BIND installations on Windows are not at risk if the host file permissions prevent creation of a binary in a location where the service executor would run it instead of named.exe.
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from:
- http://www.isc.org/downloads

- http://www.securityt....com/id/1038693
CVE Reference: CVE-2017-3141
Jun 15 2017
Version(s): 9.2.6-P2 - 9.2.9, 9.3.2-P1 - 9.3.6, 9.4.0 - 9.8.8, 9.9.0 - 9.9.10, 9.10.0 - 9.10.5, 9.11.0 - 9.11.1, 9.9.3-S1 - 9.9.10-S1, 9.10.5-S1
Impact: A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (9.9.10-P1, 9.10.5-P1, 9.11.1-P1).
Vendor URL: https://kb.isc.org/a...4/CVE-2017-3141
___

CVE-2017-3140: An error processing RPZ rules can cause named to loop endlessly after handling a query
- https://kb.isc.org/a...4/CVE-2017-3140
2017-06-14
CVE: CVE-2017-3140
Document Version: 2.0
Posting date: 14 June 2017
Program Impacted: BIND
Versions affected: 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, 9.10.5-S1
Severity: Medium
Exploitable: Remotely
Description: If named is configured to use Response Policy Zones (RPZ) an error processing some rule types can lead to a condition where BIND will endlessly loop while handling a query.
Impact: A server is potentially vulnerable to degradation of service if
    the server is configured to use RPZ,
    the server uses NSDNAME or NSIP policy rules, and
    an attacker can cause the server to process a specific query
Successful exploitation of this condition will cause named to enter a state where it continues to loop while processing the query without ever reaching an end state. While in this state, named repeatedly queries the same sets of authoritative nameservers and this behavior will usually persist indefinitely beyond the normal client query processing timeout. By triggering this condition multiple times, an attacker could cause a deliberate and substantial degradation in service.
Operators of servers that meet the above conditions 1. and 2. may also accidentally encounter this defect during normal operation. It is for this reason that the decision was made to issue this advisory despite its low CVSS score...
 
- http://www.securityt....com/id/1038692
CVE Reference: CVE-2017-3140
Jun 15 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.9.10, 9.10.5, 9.11.0 - 9.11.1, 9.9.10-S1, 9.10.5-S1
Impact: A remote user can cause denial of service conditions.
Solution: The vendor has issued a fix (9.9.10-P1, 9.10.5-P1, 9.11.1-P1)...
- https://kb.isc.org/a...4/CVE-2017-3140
___

Operational Notification: LMDB integration problems with BIND 9.11.0 and 9.11.1
- https://kb.isc.org/article/AA-01497
2017-06-14
BIND 9.11.0 and 9.11.1 carries a number of integration problems with LMDB (liblmdb) that will be addressed in BIND 9.11.2.
Description: ISC will be releasing BIND 9.11.2 in July/August 2017 which will address integration issues with BIND's use of LMDB in BIND 9.11.0 and 9.11.1.  Until then, our recommendation is that LMDB be disabled.
Use of LMDB for the 'New Zone Database" (NZD) is a new feature in BIND 9.11, introduced in order to provide significant performance improvements during dynamic zone handling.  It is enabled by default when building BIND on a system that has liblmdb installed and some packagers of BIND 9.11 include this feature (along with the liblmdb dependency) in their distribution.
Impact: Problems that may be encountered on servers with LMDB enabled and "allow-new-zones yes;" include:
    Some new zones fail to persist following a restart, reload or reconfig
    Zone deletions are incomplete leading to anomalies on restart and/or when re-adding zones
    On a server that is started with the -u option, Issuing the commands "rndc reload" or "rndc reconfig" may result in named terminating unexpectedly
    A deadlock (hang) of named sometimes occurs during concurrent dynamic zone operations
Workarounds: If building BIND 9.11 in an environment with liblmdb available, ensure that the integration is explicitly disabled by building BIND with the configure option --without-lmdb.
    There are no run time options available to disable lmdb integration, therefore if you are running a pre-built (package) version of BIND 9.11.0 or 9.11.2 that provides LMDB integration along with installing liblmdb as a dependent package, we recommend contacting your provider to request an update.
Solution: BIND 9.11.2 will be published in July/August 2017. At that time it will become available for download from: http://www.isc.org/downloads/all
___

- https://www.us-cert....ty-Updates-BIND
June 15, 2017