- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
CVE-2020-8616: BIND does not sufficiently limit the number of fetches
performed when processing referrals
CVE-2020-8617: A logic error in code which checks TSIG validity can be
used to trigger an assertion failure in tsig.c
More info on the referral problem in http://www.nxnsattack.com/dns-ns-paper.pdf
CVE-2019-6471: A race condition when discarding malformed
packets can cause BIND to exit with an assertion failure
https://kb.isc.org/docs/cve-2019-6471
CVE-2018-5744: A specially crafted packet can cause named to leak memory
...
A failure to free memory can occur when processing messages
having a specific combination of EDNS options.
By exploiting this condition, an attacker can potentially cause
named's memory use to grow without bounds until all memory
available to the process is exhausted. Typically a server process
is limited as to the amount of memory it can use but if the named
process is not limited by the operating system all free memory
on the server could be exhausted.
...
CVE-2018-5745: An assertion failure can occur if a trust anchor
rolls over to an unsupported key algorithm when using managed-keys
(there is also CVE-2019-6465 but we don't build dlz)
5108. [bug] Named could fail to determine bottom of zone when
removing out of date keys leading to invalid NSEC
and NSEC3 records being added to the zone. [GL #771]
named's requirement that cwd is writable.
install bind.keys to the right path (it used the compiled-in default
anyway but this gives the wrong cue to anyone wanting to update dnssec
root zone trust anchors).
problems reported by Mikolaj Kucharski
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this happening
were remote, but the introduction of a delay in resolution increased
them. (The delay will be addressed in an upcoming maintenance release.)
This bug is disclosed in CVE-2017-3145. [RT #46839]
9.10.5-P2 broke verification of TSIG signed TCP message sequences where
not all the messages contain TSIG records. These may be used in AXFR and
IXFR responses. [RT #45509]
An error in TSIG handling could permit unauthorized zone transfers
or zone updates. CVE-2017-3142, CVE-2017-3143.
Also updates the address of b.root in hints.
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives
a null command string on its control channel
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]
* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]
Named could mishandle authority sections that were missing RRSIGs triggering
an assertion failure. CVE-2016-9444
Named mishandled some responses where covering RRSIG records are returned
without the requested data resulting in a assertion failure. CVE-2016-9147
Named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch. CVE-2016-9131
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
Also has a couple of regression fixes. OK naddy@
were protected by different locks.
See http://fanf.livejournal.com/144615.html for an informative write-up
on the issue: "Even the Deathstation 9000 can't screw up the BIND 9.10.4
fix".
- Fixed a regression in resolver.c:possibly_mark() which caused
known-bogus servers to be queried anyway. [RT #41321]
- render_ecs errors were mishandled when printing out a OPT record
resulting in a assertion failure. (CVE-2015-8705) [RT #41397]
- Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
