Corrective updates to the stable branches of BIND DNS Server 9.11.22 and 9.16.6, as well as the experimental branch 9.17.4, which is in development. The new releases fixed 5 vulnerabilities. The most dangerous vulnerability () remotely cause a denial of service by sending a specific set of packets to the TCP port on which it accepts BIND connections. Sending abnormally large AXFR requests to a TCP port, cause the libuv library servicing the TCP connection to pass the size to the server, which triggers the assertion and terminates the process.
Other vulnerabilities:
- - An attacker can trigger an assertion check and resolver crash when trying to minify a QNAME after a request has been redirected. The problem only occurs on servers with QNAME minification enabled and running in 'forward first' mode.
- - the attacker can initiate the operation of the assertion check and the emergency termination of the workflow if the attacker's DNS server returns incorrect responses with the TSIG signature in response to a request from the victim's DNS server.
- - An attacker can initiate an assertion check and an emergency termination of the handler by sending specially crafted requests for a zone signed with an RSA key. The problem appears only when building the server with the "--enable-native-pkcs11" option.
- - An attacker who has the authority to change the contents of certain fields in the DNS zones can obtain additional privileges to change other contents of the DNS zone.
Source: opennet.ru