There was an issue in the implementation of the DTLS handshake implementation in BIND 9.1 through 9.4.4, which could result in a named process terminating with an assertion failure. This issue has been fixed in 9.5 through 9.9.5. A workaround is to upgrade to 9.10 or 9.11 or later, as these versions implement a fix for this issue. BIND 9.10.3 or later also implements a fix for another, yet unrelated, DTLS handshake issue that can also cause named to terminate with an assertion failure. This issue has been addressed in 9.10.4. A workaround for these issues is to upgrade to a fixed version. BIND 9.10.3 or later also implements a fix for another, yet unrelated, DTLS handshake issue that can also cause named to terminate with an assertion failure. This issue has been addressed in 9.10.4. A workaround for these issues is to upgrade to a fixed version.
BIND 9.10.3
, 9.10.4, and 9.11+ Fixed Issues
BIND 9.10.3 is a security release that fixes a DoS vulnerability in the implementation of DTLS (Datagram Transport Layer Security) handshake functionality in BIND 9.x and BIND 10-based servers, which could result in a named process terminating with an assertion failure or crash when receiving or transmitting data via DTLS on port 443. This issue has been fixed in BIND 9.10.4 and later releases, as well as BIND 11+ releases based on 9-stable codebase.
BIND 9.10.4 is a security release that fixes a DoS vulnerability in the implementation of DTLS (Datagram Transport Layer Security) handshake functionality in BIND 9.x and BIND 10-based servers, which could result in a named process terminating with an assertion failure or crash when receiving or transmitting data via DTLS on port 443; as well as an issue with the handling of large responses from DNS recursive resolvers that could cause named to fail while processing such responses, resulting in an assertion failure or crash when handling those responses
BIND 11+ releases based on 9-stable codebase are not affected by the issues fixed by this update because they do not implement DTLS handshake functionality nor do they handle large responses from DNS recursive resolvers
BIND 9.10.3 and BIND 9.11.1
Release notes for BIND 9.10.3 and BIND 9.11.1 are available at https://kb.isc.org/article/AA-01998 .
CVE-2019-1190
There was an issue in the implementation of the DTLS handshake implementation in BIND 9.10 through 9.11, which could result in a named process terminating with an assertion failure. This issue has been fixed in 9.12 through 9.14 and 9.15 through 9.24-rc1-git6 and later versions, as these versions implement a fix for this issue. The workaround is to upgrade to BIND 9.12-rc1 or later versions, as they include fixes for these issues that were not included in earlier releases of BIND 9.
Configuration Database Corruption
A configuration database corruption error in BIND 9 could be caused by an out-of-memory condition. This issue has been fixed in 9.10 and 9.10.1. A workaround is to upgrade to 9.11 or later, which does not have this issue but does implement a fix for another, yet unrelated, DTLS handshake issue that can also cause named to terminate with an assertion failure.
BIND 9.10.4
The BIND 9.9.5 release contained an issue in the implementation of the DTLS handshake which could result in named process terminating with an assertion failure. This issue has been fixed.
Timeline
Published on: 05/19/2022 10:15:00 UTC
Last modified on: 07/07/2022 15:15:00 UTC