[v2.6] bind: BIND named can crash due to a defect in EDNS printing processing (CVE-2014-3859)
A query specially crafted to exploit a defect in EDNS option processing can cause named to terminate with an assertion failure.
Impact:
Both authoritative and recursive servers are vulnerable to this defect. Exploitation of this condition can cause a denial of service in nameservers running affected versions of BIND 9.10. Access Control Lists do not provide protection.
The bug which causes this condition is in libdns; consequently in addition to the named server process other applications (for example: dig and delv) built using the libdns library from the affected source distributions can also be forced to crash with assertion failures triggered in the same fashion.
Solution:
Upgrade to the patched release most closely related to your current version of BIND. Open source versions can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.10.0-P2
(from redmine: issue id 3035, created on 2014-06-12, closed on 2014-06-12)
- Relations:
- parent #3033 (closed)