Corrective updates have been posted to the stable branches of the BIND DNS server 9.11.28. Newer releases resolve a buffer overflow vulnerability (CVE-9.16.12-9.17.10) that could potentially lead to remote execution of malicious code. There are no traces of working exploits yet.
The problem is caused by an error in the implementation of the SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) mechanism used in GSSAPI to negotiate the protection methods used by the client and server. GSSAPI is used as a high-level protocol for secure key exchange using the GSS-TSIG extension used in the DNS zone dynamic update authentication process.
The vulnerability affects systems configured to use GSS-TSIG (for example, if the tkey-gssapi-keytab and tkey-gssapi-credential settings are used). GSS-TSIG is typically used in mixed environments where BIND is combined with Active Directory domain controllers, or when integrating with Samba. In the default configuration, GSS-TSIG is disabled.
As a workaround for blocking the problem that does not require disabling GSS-TSIG, a BIND build without support for the SPNEGO mechanism is called, which can be disabled by specifying the "--disable-isc-spnego" option when running the "configure" script. In distributions, the problem still remains uncorrected. You can follow the updates on the following pages: Debian, RHEL, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD.
Source: opennet.ru