Advisories for BIND 9 and BIND 8 follow. Note that BIND 9 is only vulnerable if the DNSSEC validator is turned on (it's off by default). Begin forwarded message:

From: Mark Andrews Date: 26 January 2005 17:55:48 GMT+13:00 To: bind-announce(a)isc.org Subject: Internet Systems Consortium Security Advisory: BIND: Self Check Failing

Internet Systems Consortium Security Advisory. BIND: Self Check Failing 18 November 2004

Versions affected: BIND 9.3.0 Severity: LOW Exploitable: Remotely Type: denial of service Description:

An incorrect assumption in the validator (authvalidated) can result in a REQUIRE (internal consistancy) test failing and named exiting.

Workaround:

Turn off dnssec validation (off by default) at the options/view level.

dnssec-enable no;

Fix:

Upgrade to BIND 9.3.1 http://www.isc.org/sw/bind/

See also: http://www.kb.cert.org/vuls/id/938617

Begin forwarded message:

From: Mark Andrews Date: 26 January 2005 17:54:31 GMT+13:00 To: bind-announce(a)isc.org Subject: Internet Systems Consortium Security Advisory: BIND: Buffer Overrun (q_usedns).

Internet Systems Consortium Security Advisory. BIND: Buffer Overrun (q_usedns). 17 November 2004

Versions affected: BIND 8.4.4 and 8.4.5 Severity: LOW Exploitable: Remotely Type: denial of service Description:

It is possible to overrun the q_usedns array which is used to track nameservers / addresses that have been queried.

Workaround:

Disable recursion and glue fetching.

Fix:

Upgrade to BIND 8.4.6 http://www.isc.org/sw/bind/

See also: http://www.kb.cert.org/vuls/id/327633