BIND 9 patched against remote crash vuln
Time to get patching, sys admins: ISC (the Internet Systems Consortium) has issued a fix for a BIND 9 denial of service vulnerability.
The defect and patch, published last week, “allows an attacker to crash a BIND 9 recursive resolver with a RUNTIME_CHECK error in resolver.c”, the ISC says in its announcement.
CVE-2013-3919 says BIND 9.6-ESV-R9, 9.8.5 and 9.9.3 are affected by the bug. While older versions aren’t affected, ISC notes that they’re also unsupported and could be carrying other unpatched vulnerabilities.
“At the time of this advisory no intentional exploitation of this bug has been observed in the wild. However, the existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability, in accordance with our Phased Disclosure Process”, the ISC announcement says.
The ISC notes that while it hasn’t observed any exploits in the wild, it has been discussed on mailing lists “with enough accompanying detail to reverse engineer an attack.”
Upgraded versions can be downloaded here. ®