Advisories for BIND 9 and BIND 8 follow. Note that BIND 9 is only vulnerable if the DNSSEC validator is turned on (it's off by default). Begin forwarded message:
From: Mark Andrews
Date: 26 January 2005 17:55:48 GMT+13:00 To: bind-announce(a)isc.org Subject: Internet Systems Consortium Security Advisory: BIND: Self Check Failing Internet Systems Consortium Security Advisory. BIND: Self Check Failing 18 November 2004
Versions affected: BIND 9.3.0 Severity: LOW Exploitable: Remotely Type: denial of service Description:
An incorrect assumption in the validator (authvalidated) can result in a REQUIRE (internal consistancy) test failing and named exiting.
Workaround:
Turn off dnssec validation (off by default) at the options/view level.
dnssec-enable no;
Fix:
Upgrade to BIND 9.3.1 http://www.isc.org/sw/bind/
See also: http://www.kb.cert.org/vuls/id/938617
Begin forwarded message:
From: Mark Andrews
Date: 26 January 2005 17:54:31 GMT+13:00 To: bind-announce(a)isc.org Subject: Internet Systems Consortium Security Advisory: BIND: Buffer Overrun (q_usedns). Internet Systems Consortium Security Advisory. BIND: Buffer Overrun (q_usedns). 17 November 2004
Versions affected: BIND 8.4.4 and 8.4.5 Severity: LOW Exploitable: Remotely Type: denial of service Description:
It is possible to overrun the q_usedns array which is used to track nameservers / addresses that have been queried.
Workaround:
Disable recursion and glue fetching.
Fix:
Upgrade to BIND 8.4.6 http://www.isc.org/sw/bind/
See also: http://www.kb.cert.org/vuls/id/327633