First published: Wed Aug 08 2018(Updated: )
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2.
Credit: security-officer@isc.org security-officer@isc.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/bind | <9.9.13 | 9.9.13 |
redhat/bind | <9.10.8 | 9.10.8 |
redhat/bind | <9.11.4 | 9.11.4 |
redhat/bind | <9.12.2 | 9.12.2 |
ISC BIND | >=9.7.0<9.8.8 | |
ISC BIND | >=9.9.0<9.9.13 | |
ISC BIND | >=9.10.0<9.10.8 | |
ISC BIND | >=9.11.0<9.11.4 | |
ISC BIND | >=9.12.0<9.12.2 | |
ISC BIND | >=9.13.0<9.13.2 | |
Redhat Enterprise Linux Desktop | =6.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =6.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Server Aus | =7.6 | |
Redhat Enterprise Linux Server Eus | =7.5 | |
Redhat Enterprise Linux Server Eus | =7.6 | |
Redhat Enterprise Linux Workstation | =6.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Netapp Data Ontap Edge | ||
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
HP HP-UX | ||
openSUSE Leap | =15.0 | |
openSUSE Leap | =15.1 | |
openSUSE Leap | =42.3 | |
debian/bind9 | 1:9.16.50-1~deb11u2 1:9.16.50-1~deb11u1 1:9.18.28-1~deb12u2 1:9.20.2-1 |
Disable use of "deny-answer-aliases" feature
Most operators will not need to make any changes unless they are using the "deny-answer-aliases" feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.) "deny-answer-aliases" is off by default; only configurations which explicitly enable it can be affected by this defect. If you are using "deny-answer-aliases", upgrade to the patched release most closely related to your current version of BIND. 9.9.13-P1 9.10.8-P1 9.11.4-P1 9.12.2-P1 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. 9.11.3-S3
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.