BIND name server vulnerable to DoS attacks
Internet Systems Consortium (ISC), makers of the popular free name server BIND, have released a security advisory indicating a vulnerability in their product. Under certain circumstance BIND (named) crashes on dereferencing a pointer. The bug can apparently be provoked via a network, although ISC does not say exactly how.
The following versions are affected:
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3
BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1, 9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.0rc1
The makers assess the risk as low. The bug is fixed in BIND 9.2.8, 9.3.4 and 9.4.0rc2. The forthcoming version 9.5.Oa2 should also be free of the bug. As a workaround, ISC recommends disabling or restricting recursion. A name server working recursively normally only processes queries from clients from its own domain anyway.
- BIND 9: dereferencing freed fetch context, security advisory on the BIND mailing list