BIND 9 Security Vulnerability Matrix | Internet Systems Consortium Knowledge Base

Knowledge Base

Search the Knowledgebase

BIND 9 Security Vulnerability Matrix

Author: ISC Support Reference Number: AA-00913 Views: 232867 Created: 2013-05-20 22:08 Last Updated: 2016-03-09 19:39

0 Rating/ Voters

The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND.

It has two parts:

The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org. The third column is a short description of the vulnerability, linked (where possible) to our Knowledge Base article on the vulnerability.
The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top. If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it. If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

For example, if you use the top table to look up CVE-2012-1667, you will see that it cross references to #46. You can look for column #46 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.8.3 you would know to upgrade.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

We do not recommend that you use any version not listed in one of these charts.

Vulnerability information for EOL (End of Life) versions of BIND 9 (9.0 through 9.8) and below are included only for vulnerabilities discovered before (or in some cases shortly after) the EOL date. These versions are all known to be affected by some vulnerabilities discovered after their EOL date.

Using obsolete versions of BIND

We recommend that you not use obsolete versions of any ISC software. It was updated for a reason. But there is one situation in which you really must not run older versions of BIND.

If a nameserver — any nameserver, whether BIND or other software — is configured to use "forwarders'', then none of its targets (the servers to which it forwards the requests) can be running BIND4 or BIND8. Upgrade all nameservers used as forwarders to a current version. There is a wide scale Kashpureff-style DNS cache corruption attack that depends on BIND4 and BIND8 being the targets of DNS forwarders. Both BIND 4 and BIND 8 have end-of-life status.

Listing of Vulnerabilities

#	CVE Number	Short Description
74	2016-2088	A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure
73	2016-1286	A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c
72	2016-1285	An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
71	2016-1284	A REQUIRE assertion failure in rdataset.c can be deliberately triggered in servers performing NXDOMAIN redirection
70	2015-8705	Problems converting OPT resource records and ECS options to text format can cause BIND to terminate
69	2015-8704	Specific APL data could trigger an INSIST in apl_42.c
68	2015-8461	A race condition when handling socket errors can lead to an assertion failure in resolver.c
67	2015-8000	Responses with a malformed class attribute can trigger an assertion failure in db.c
66	2015-5986	An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c
65	2015-5722	Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
64	2015-5477	An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
63	2015-4620	Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating
62	2015-1349	A Problem with Trust Anchor Management Can Cause named to Crash
61	2014-8680	Defects in GeoIP features can cause BIND to crash
60	2014-8500	A Defect in Delegation Handling Can Be Exploited to Crash BIND
59	2014-3859	BIND named can crash due to a defect in EDNS printing processing
58	2014-3214	A Defect in Prefetch Can Cause Recursive Servers to Crash
57	2014-0591	A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
56	2013-6230	A Winsock API Bug can cause a side-effect affecting BIND ACLs
55	2013-4854	A specially crafted query can cause BIND to terminate abnormally
54	2013-3919	A recursive resolver can be crashed by a query for a malformed zone
53	2013-2266	A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
52	2012-5689	BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
51	2012-5688	BIND 9 servers using DNS64 can be crashed by a crafted query
50	2012-5166	Specially crafted DNS data can cause a lockup in named
49	2012-4244	A specially crafted Resource Record could cause named to terminate
48	2012-3868	High TCP query load can trigger a memory leak
47	2012-3817	Heavy DNSSEC validation load can cause a "bad cache" assertion failure
46	2012-1667	Handling of zero length rdata can cause named to terminate unexpectedly
45	2011-4313	BIND 9 Resolver crashes after logging an error in query.c
44	2011-2465	Remote crash with certain RPZ configurations
43	2011-2464	remote packet denial of service against authoritative and recursive servers
42	2011-1910	Large RRSIG RRsets and negative caching can crash named
41	2011-1907	RRSIG queries can trigger server crash when using Response Policy Zones
40	2011-0414	Server lockup upon IXFR or DDNS update combined with high query rate
39	2010-3613	cache incorrectly allows an ncache entry and an RRSIG for the same type
38	2010-3615	allow-query processed incorrectly
37	2010-3614	Key algorithm rollover bug in BIND 9
36	2010-3762	failure to handle bad signatures if multiple trust anchors configured
35	2010-0218	Unexpected ACL Behavior in BIND 9.7.2
34	2010-0213	RRSIG query handling bug in BIND 9.7.1
33	2010-0097	DNSSEC validation code could cause bogus NXDOMAIN responses
32	2009-4022	Cache Update From Additional Section
31	2009-0696	Dynamic Update DoS attack
30	2008-5077	DNSSEC issue with DSA and NSEC3DSA algorithms
29	2008-1447	DNS cache poisoning issue
28	2008-0122	inet_network() off-by-one buffer overflow
27	2007-2930	cryptographically weak query ids (BIND 8)
26	2007-2926	cryptographically weak query ids
25	2007-2925	allow-query-cache/allow-recursion default acls not set.
24	2007-2241	Sequence of queries can cause a recursive nameserver to exit.
23	2007-0494	Denial of service via ANY query response containing multiple RRsets.
22	2007-0493	Denial of service via unspecified vectors that cause "dereference a freed fetch context."
21	2006-4096	Denial of service via a flood of recursive queries causing INSIST failure.
19	2005-0034	The DNSSEC validator can cause the server to exit
13	2002-0400	DoS internal consistency check (DoS_findtype)

Why don't the reference numbers begin at 1?

These matrices have been moved to our Knowledge Base from our website. Along the way we have extracted the security matrix information for BIND8; hence the numbering does not start with 1, and there are some gaps where some security reports related solely to BIND8. If you are still running BIND8 or earlier, we strongly recommend that you upgrade because there are security vulnerabilities inherent in BIND8 that could not be fixed until BIND9.

BIND 9.10

ver/CVE	58	59	60	61	62	63	64	65	66	67	68	69	70	71	72	73	74
9.10.3-P4
9.10.3-P3															+	+	+
9.10.3-P2												+	+		+	+	+
9.10.3-P1											+	+	+		+	+	+
9.10.3										+	+	+	+		+	+	+
9.10.2-P4										+		+	+		+	+	+
9.10.2-P3								+	+	+		+	+		+	+	+
9.10.2-P2							+	+	+	+		+	+		+	+	+
9.10.2-P1						+	+	+	+	+		+	+		+	+	+
9.10.2						+	+	+	+	+		+	+		+	+	+
9.10.1-P2						+	+	+		+		+	+		+	+	+
9.10.1-P1					+	+	+	+		+		+	+		+	+	+
9.10.1			+	+	+	+	+	+		+		+	+		+	+	+
9.10.0-P2			+	+	+	+	+	+		+		+	+		+	+	+
9.10.0-P1		+	+	+	+	+	+	+		+		+	+		+	+	+
9.10.0	+	+	+	+	+	+	+	+		+		+	+		+	+	+

BIND 9.9

ver/CVE	46	47	48	49	50	51	52	53	54	55	56	57	58	59	60	61	62	63	64	65	66	67	68	69	70	71	72	73	74
9.9.8-P4
9.9.8-P3																											+	+
9.9.8-P2																								+			+	+
9.9.8-P1																							+	+			+	+
9.9.8																						+	+	+			+	+
9.9.7-P3																						+		+			+	+
9.9.7-P2																				+	+	+		+			+	+
9.9.7-P1																			+	+	+	+		+			+	+
9.9.7																		+	+	+	+	+		+			+	+
9.9.6-P2																		+	+	+		+		+			+	+
9.9.6-P1																	+	+	+	+		+		+			+	+
9.9.6															+		+	+	+	+		+		+			+	+
9.9.5-P1															+		+	+	+	+		+		+			+	+
9.9.5-W1															+		+	+	+	+		+		+			+	+
9.9.5															+		+	+	+	+		+		+			+	+
9.9.4-P2															+		+	+	+	+		+		+			+	+
9.9.4-P1												+			+		+	+	+	+		+		+			+	+
9.9.4											+	+			+		+	+	+	+		+		+			+	+
9.9.3-P2											+	+			+		+	+	+	+		+		+			+	+
9.9.3-P1										+	+	+			+		+	+	+	+		+		+			+	+
9.9.3									+	+	+	+			+		+	+	+	+		+		+			+	+
9.9.2-P2							+			+	+	+			+		+	+	+	+		+		+			+	+
9.9.2-P1							+	+		+	+	+			+		+	+	+	+		+		+			+	+
9.9.2						+	+	+		+	+	+			+		+	+	+	+		+		+			+	+
9.9.1-P4						+	+	+		+	+	+			+		+	+	+	+		+		+			+	+
9.9.1-P3					+	+	+	+		+	+	+			+		+	+	+	+		+		+			+	+
9.9.1-P2				+	+	+	+	+		+	+	+			+		+	+	+	+		+		+			+	+
9.9.1-P1		+	+	+	+	+	+	+		+	+	+			+		+	+	+	+		+		+			+	+
9.9.1	+	+	+	+	+	+	+	+		+	+	+			+		+	+	+	+		+		+			+	+
9.9.0	+	+	+	+	+	+	+	+		+	+	+			+		+	+	+	+		+		+			+	+

BIND 9.9 Supported Preview edition

If you'd like more information on our product support or about our Supported Preview edition of BIND, also known as the Subscription version, please visit https://www.isc.org/bind-subscription-2/

ver/CVE	54	55	56	57	58	59	60	61	62	63	64	65	66	67	68	69	70	71	72	73	74
9.9.8-S6
9.9.8-S5																			+	+
9.9.8-S4																		+	+	+
9.9.8-S3																+		+	+	+
9.9.8-S2															+	+		+	+	+
9.9.8-S1														+	+	+		+	+	+
9.9.7-S6														+		+			+	+
9.9.7-S5												+	+	+		+			+	+
9.9.7-S4											+	+	+	+		+			+	+
9.9.7-S3										+	+	+	+	+		+			+	+
9.9.7-S2										+	+	+	+	+		+			+	+
9.9.7-S1										+	+	+	+	+		+			+	+
9.9.6-S3										+	+	+	+	+		+			+	+
9.9.6-S2									+	+	+	+	+	+		+			+	+
9.9.6-S1							+	+	+	+	+	+	+	+		+			+	+
9.9.5-S1-P1							+	+	+	+	+	+	+	+		+			+	+
9.9.5-S1-W1							+	+	+	+	+	+	+	+		+			+	+
9.9.5-S1							+	+	+	+	+	+	+	+		+			+	+
9.9.4-S1-P2							+	+	+	+	+	+	+	+		+			+	+
9.9.4-S1-P1				+			+	+	+	+	+	+	+	+		+			+	+
9.9.4-S1			+	+			+	+	+	+	+	+	+	+		+			+	+
9.9.3-S1-P1			+	+			+	+	+	+	+	+	+	+		+			+	+
9.9.3-S1		+	+	+			+	+	+	+	+	+	+	+		+			+	+

ALL versions below are EOL

While there may be some newer vulnerabilities that do not apply to them, they are all affected by multiple known vulnerabilities.

BIND 9.8

(EOL September 2014; final matrix update 2014-12-08)

ver/CVE	41	42	43	44	45	46	47	48	49	50	51	52	53	54	55	56	57	58	59	60	61
9.8.8																				+
9.8.7-P1																				+
9.8.7																				+
9.8.6-P2																				+
9.8.6-P1																	+			+
9.8.6																+	+			+
9.8.5-P2																+	+			+
9.8.5-P1															+	+	+			+
9.8.5														+	+	+	+			+
9.8.4-P2												+			+	+	+			+
9.8.4-P1												+	+		+	+	+			+
9.8.4											+	+	+		+	+	+			+
9.8.3-P4											+	+	+		+	+	+			+
9.8.3-P3										+	+	+	+		+	+	+			+
9.8.3-P2									+	+	+	+	+		+	+	+			+
9.8.3-P1							+		+	+	+	+	+		+	+	+			+
9.8.3						+	+		+	+	+	+	+		+	+	+			+
9.8.2						+	+		+	+	+	+	+		+	+	+			+
9.8.1-P1						+	+		+	+	+	+	+		+	+	+			+
9.8.1					+	+	+		+	+	+	+	+		+	+	+			+
9.8.0-P4					+	+	+		+	+	+	+	+		+	+	+			+
9.8.0-P3			+		+	+	+		+	+	+	+	+		+	+	+			+
9.8.0-P2			+	+	+	+	+		+	+	+	+	+		+	+	+			+
9.8.0-P1		+	+	+	+	+	+		+	+	+	+	+		+	+	+			+
9.8.0	+	+	+	+	+	+	+		+	+	+	+	+		+	+	+			+

BIND 9.7

(EOL November 2012; Final matrix update 2014-01-13)

ver/CVE	34	35	36	37	38	39	40	41	42	43	44	45	46	47	48	49	50	51	52	53	54	55	56	57
9.7.7																				+		+	+	+
9.7.6-P4																				+		+	+	+
9.7.6-P3																	+			+		+	+	+
9.7.6-P2																+	+			+		+	+	+
9.7.6-P1														+		+	+			+		+	+	+
9.7.6													+	+		+	+			+		+	+	+
9.7.5													+	+		+	+			+		+	+	+
9.7.4-P1													+	+		+	+			+		+	+	+
9.7.4												+	+	+		+	+			+		+	+	+
9.7.3-P3												+	+	+		+	+			+		+	+	+
9.7.3-P2										+		+	+	+		+	+			+		+	+	+
9.7.3-P1										+		+	+	+		+	+			+		+	+	+
9.7.3									+	+		+	+	+		+	+			+		+	+	+
9.7.2-P3							+		+	+		+	+	+		+	+			+		+	+	+
9.7.2-P2		+	+	+	+	+	+		+	+		+	+	+		+	+			+		+	+	+
9.7.2-P1		+	+	+		+	+		+	+		+	+	+		+	+			+		+	+	+
9.7.2		+	+	+		+	+		+	+		+	+	+		+	+			+		+	+	+
9.7.1-P2			+	+		+	+		+	+		+	+	+		+	+			+		+	+	+
9.7.1-P1	+		+	+		+	+		+	+		+	+	+		+	+			+		+	+	+
9.7.1	+		+	+		+	+		+	+		+	+	+		+	+			+		+	+	+
9.7.0-P2			+	+		+				+		+	+			+	+			+		+	+	+
9.7.0-P1			+	+		+				+		+	+			+	+			+		+	+	+
9.7.0			+	+		+				+		+	+			+	+			+		+	+	+

BIND 9.6 / 9.6-ESV

(EOL February 2014; final matrix update 2014-12-08)

ver/CVE	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44	45	46	47	48	49	50	51	52	53	54	55	56	57	58	59	60
9.6-ESV-R11																															+
9.6-ESV-R10-P2																															+
9.6-ESV-R10-P1																												+			+
9.6-ESV-R10																											+	+			+
9.6-ESV-R9-P1																											+	+			+
9.6-ESV-R9																									+		+	+			+
9.6-ESV-R8																											+	+			+
9.6-ESV-R7-P4																											+	+			+
9.6-ESV-R7-P3																					+						+	+			+
9.6-ESV-R7-P2																				+	+						+	+			+
9.6-ESV-R7-P1																		+		+	+						+	+			+
9.6-ESV-R7																	+	+		+	+						+	+			+
9.6-ESV-R6																	+	+		+	+						+	+			+
9.6-ESV-R5-P1																	+	+		+	+						+	+			+
9.6-ESV-R5																+	+	+		+	+						+	+			+
9.6-ESV-R4-P3																+	+	+		+	+						+	+			+
9.6-ESV-R4-P2														+		+	+	+		+	+						+	+			+
9.6-ESV-R4-P1														+		+	+	+		+	+						+	+			+
9.6-ESV-R4													+	+		+	+	+		+	+						+	+			+
9.6-ESV-R3													+			+	+	+		+	+						+	+			+
9.6-ESV-R2								+		+			+			+	+	+		+	+						+	+			+
9.6-ESV-R1								+		+						+	+	+		+	+						+	+			+
9.6-ESV								+		+						+	+	+		+	+						+	+			+
9.6.3								+		+			+			+	+			+	+						+	+			+
9.6.2-P3								+		+						+	+			+	+						+	+			+
9.6.2-P2								+		+						+	+			+	+						+	+			+
9.6.2-P1								+		+						+	+			+	+						+	+			+
9.6.2								+		+						+	+			+	+						+	+			+
9.6.1-P3								+		+						+	+			+	+						+	+			+
9.6.1-P2								+		+						+	+			+	+						+	+			+
9.6.1-P1			+	+				+		+						+	+			+	+						+	+			+
9.6.1		+	+	+				+		+						+	+			+	+						+	+			+
9.6.0-P1		+	+	+				+		+						+	+			+	+						+	+			+
9.6.0	+	+	+	+				+		+						+	+			+	+						+	+			+

BIND 9.5

(EOL September 2010; Final matrix update 2011-11-16)

ver/CVE	29	30	31	32	33	37	39	45
9.5.2-P2						+	+	+
9.5.1-P3				+	+	+	+	+
9.5.1-P1			+	+	+	+	+	+
9.5.1		+	+	+	+	+	+	+
9.5.0-P2		+	+	+	+	+	+	+
9.5.0-P1		+	+	+	+	+	+	+
9.5.0	+	+	+	+	+	+	+	+

BIND 9.4 / 9.4-ESV

(EOL March 2012; Final matrix update 2011-11-16)

ver/CVE	24	25	26	28	29	30	31	32	33	37	39	42	44	45
9.4-ESV-R5-P1														+
9.4-ESV-R5													+	+
9.4-ESV-R4-P1													+	+
9.4-ESV-R4												+		+
9.4-ESV-R3										+	+	+		+
9.4-ESV-R2										+	+			+
9.4-ESV-R1										+	+			+
9.4-ESV										+	+			+
9.4.3-P5										+	+			+
9.4.3-P3								+	+	+	+			+
9.4.3-P1							+	+	+	+	+			+
9.4.3						+	+	+	+	+	+			+
9.4.2-P1				+		+	+	+	+	+	+			+
9.4.2				+	+	+	+	+	+	+	+			+
9.4.1-P1				+	+	+	+	+	+	+	+			+
9.4.1		+	+	+	+	+	+	+	+	+	+			+
9.4.0	+	+	+	+	+	+	+	+	+	+	+			+

BIND 9.3

(EOL January 2009; Final matrix update 2011-09-09)

ver/CVE	19	21	22	23	24	25	26	27	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44
9.3.6-P1												+	+	+				+		+
9.3.6											+	+	+	+				+		+
9.3.5-P1											+	+	+	+				+		+
9.3.5										+	+	+	+	+				+		+
9.3.4-P1									+	+	+	+	+	+				+		+
9.3.4							+		+	+	+	+	+	+				+		+
9.3.3			+	+			+		+	+	+	+	+	+				+		+
9.3.2		+	+	+			+		+	+	+	+	+	+				+		+
9.3.1		+	+	+			+		+	+	+	+	+	+				+		+
9.3.0	+	+	+	+			+		+	+	+	+	+	+				+		+

BIND 9.2

(EOL September 2007; Final matrix update 2011-09-09)

ver/CVE	13	22	23	24	25	26	27	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44
9.2.8-P1								+	+	+	+	+	+				+		+
9.2.8						+		+	+	+	+	+	+				+		+
9.2.7		+	+			+		+	+	+	+	+	+				+		+
9.2.6		+	+			+		+	+	+	+	+	+				+		+
9.2.5		+	+			+		+	+	+	+	+	+				+		+
9.2.4		+	+			+		+	+	+	+	+	+				+		+
9.2.3		+	+			+		+	+	+	+	+	+				+		+
9.2.2		+	+			+		+	+	+	+	+	+				+		+
9.2.1		+	+			+		+	+	+	+	+	+				+		+
9.2.0	+	+	+			+		+	+	+	+	+	+				+		+

BIND 9.1

(EOL July 2001; Final matrix update 2011-09-09)

ver/CVE	13	23	24	25	26	27	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44
9.1.3	+	+			+		+	+	+	+	+	+				+		+
9.1.2	+	+			+		+	+	+	+	+	+				+		+
9.1.1	+	+			+		+	+	+	+	+	+				+		+
9.1.0	+	+			+		+	+	+	+	+	+				+		+

BIND 9.0

(EOL July 2001; Final matrix update 2011-09-09)

ver/CVE	13	23	24	25	26	27	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44
9.0.1	+	+			+		+	+	+	+	+	+				+		+
9.0.0	+	+					+	+	+	+	+	+				+		+

© 2001-2016 Internet Systems Consortium

Please help us to improve the content of our knowledge base by letting us know below how we can improve this article.

If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback.

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback 2

#
[KB Admin]: Unexpected Portugese Error 2013-08-12 11:09

Sorry about that - we've fixed the link!
#
[ gson]: Unexpected Portugese Error 2013-07-27 10:32

When I view the BIND 9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913/0 and click the link saying
"A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named", I end up on a page in Portugese rather than the expected English.

Submit Feedback on this Article

Quick Jump Menu

Submit Feedback on this Article

	Subscribe to Comments
	Subscribe to Updates
	Email to a Friend
	Print Article
	Export to PDF
	Add to My Favorites
	Remove from Favorites
	Rate it!

RSS Articles