BIND security update closes DoS vulnerability
The BIND developers have released BIND versions 9.6-ESV-R9-P1, 9.8.5-P1 and 9.9.3-P1 to fix a vulnerability that can be exploited by attackers to crash the open source DNS server and cause a denial of service (DoS). The affected BIND versions are 9.6-ESV-R9, 9.8.5 and 9.9.3.
The vulnerability, which has been assigned CVE identifier 2013-3919, means that an attacker who sends a query for a specially crafted zone to a recursive resolver can bring down the server with a RUNTIME_CHECK error. The Internet Systems Consortium (ISC), which maintains BIND, reports that, at the time of publication of the advisory, no intentional exploitation is known to have happened; however, the existence of the issue has been publicly disclosed, which makes it likely that the attack will be reverse engineered. Users of BIND should therefore update the software as soon as possible.
The fixed versions 9.6-ESV-R9-P1, 9.8.5-P1 and 9.9.3-P1 can be downloaded from the ISC servers. BIND is licensed under the ISC License.
(fab)