Debian Bind9 vulnerabilities

CVE-2019-6477 [HIGH] CVE-2019-6477: bind9 - With pipelining enabled each incoming query on a TCP connection requires a simil... With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is close

CVE-2019-6471 [MEDIUM] CVE-2019-6471: bind9 - A race condition which may occur when discarding malformed packets can result in... A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition v

CVE-2019-6467 [HIGH] CVE-2019-6467: bind9 - A programming error in the nxdomain-redirect feature can cause an assertion fail... A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the ro

CVE-2019-6475 [MEDIUM] CVE-2019-6475: bind9 - Mirror zones are a BIND feature allowing recursive servers to pre-cache zone dat... Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to usi

CVE-2019-6468 [HIGH] CVE-2019-6468: bind9 - In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can... In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features. In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure. Versions affected: BIND Supported Preview Edition version 9.10.5-S1 -> 9.11.5-S5. ONLY BIND Sup

CVE-2019-6469 [HIGH] CVE-2019-6469: bind9 - An error in the EDNS Client Subnet (ECS) feature for recursive resolvers can cau... An error in the EDNS Client Subnet (ECS) feature for recursive resolvers can cause BIND to exit with an assertion failure when processing a response that has malformed RRSIGs. Versions affected: BIND 9.10.5-S1 -> 9.11.6-S1 of BIND 9 Supported Preview Edition. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2019-6476 [MEDIUM] CVE-2019-6476: bind9 - A defect in code added to support QNAME minimization can cause named to exit wit... A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2019-6465 [MEDIUM] CVE-2019-6465: bind9 - Controls for zone transfers may not be properly applied to Dynamically Loadable ... Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to

CVE-2018-5735 [HIGH] CVE-2018-5735: bind9 - The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in v... The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other distributions who did similar backports for the fix for 2017-3137 may also be affected. Scope: local boo

CVE-2018-5744 [HIGH] CVE-2018-5744: bind9 - A failure to free memory can occur when processing messages having a specific co... A failure to free memory can occur when processing messages having a specific combination of EDNS options. Versions affected are: BIND 9.10.7 -> 9.10.8-P1, 9.11.3 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.10.7-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Scope: local bookworm: re

CVE-2018-5740 [HIGH] CVE-2018-5740: bind9 - "deny-answer-aliases" is a little-used feature intended to help recursive server... "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.

CVE-2018-5743 [HIGH] CVE-2018-5743: bind9 - By design, BIND is intended to limit the number of TCP clients that can be conne... By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow

CVE-2018-5738 [MEDIUM] CVE-2018-5738: bind9 - Change #4777 (introduced in October 2017) introduced an unforeseen issue in rele... Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following

CVE-2018-5734 [HIGH] CVE-2018-5734: bind9 - While handling a particular type of malformed packet BIND erroneously selects a ... While handling a particular type of malformed packet BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode. If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn't contain all of the expected information. Affects BIND 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, 9.10.6-S2. Scope: loc

CVE-2018-5741 [MEDIUM] CVE-2018-5741: bind9 - To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to u... To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented,

CVE-2018-5737 [MEDIUM] CVE-2018-5737: bind9 - A problem with the implementation of the new serve-stale feature in BIND 9.12 ca... A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging

CVE-2018-5745 [MEDIUM] CVE-2018-5745: bind9 - "managed-keys" is a feature which allows a BIND resolver to automatically mainta... "managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced wit

CVE-2018-5736 [MEDIUM] CVE-2018-5736: bind9 - An error in zone database reference counting can lead to an assertion failure if... An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY m

CVE-2018-5742 [HIGH] CVE-2018-5742: bind9 - While backporting a feature for a newer branch of BIND9, RedHat introduced a pat... While backporting a feature for a newer branch of BIND9, RedHat introduced a path leading to an assertion failure in buffer.c:420. Affects RedHat versions bind-9.9.4-65.el7 -> bind-9.9.4-72.el7. No ISC releases are affected. Other packages from other distributions who made the same error may also be affected. Scope: local bookworm: resolved bullseye: resolved forky: res

CVE-2017-3135 [HIGH] CVE-2017-3135: bind9 - Under some conditions when using both DNS64 and RPZ to rewrite query responses, ... Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1. Scope: local b