Joao Damas

**Name of the Vulnerable Software and Affected Versions** BIND versions prior to 9.2.6-P1 BIND versions 9.3.x prior to 9.3.2-P1 **Description** The issue allows remote attackers to cause a denial of service, resulting in a crash, by sending a flood of recursive queries. This leads to an INSIST failure when the response is received after the recursion queue is empty. **Recommendations** For versions prior to 9.2.6-P1, update to version 9.2.6-P1 or later. For versions 9.3.x prior to 9.3.2-P1, update to version 9.3.2-P1 or later.

**Name of the Vulnerable Software and Affected Versions** BIND versions 9.2.x through 9.2.6 and 9.3.x through 9.3.2 **Description** The issue allows a remote attacker to cause a denial of service (crash) via certain SIG queries, which cause an assertion failure when multiple RRsets are returned. **Recommendations** For versions 9.2.x through 9.2.6, update to version 9.2.6-P1 or later. For versions 9.3.x through 9.3.2, update to version 9.3.2-P1 or later.

**Name of the Vulnerable Software and Affected Versions** BIND versions 8.4.4 through 8.4.5 **Description** A buffer overflow issue exists in the code for recursion and glue fetching, allowing remote attackers to cause a denial of service by crashing the system via queries that trigger the overflow in the q usedns array, which tracks nameservers and addresses. **Recommendations** For BIND versions 8.4.4 through 8.4.5, consider restricting access to the recursion and glue fetching functionality until a patch is available. As a temporary workaround, limit the use of the q usedns array to prevent the buffer overflow. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BIND version 9.3.0 **Description** The issue is caused by an "incorrect assumption" in the `authvalidated` validator function when DNSSEC is enabled. This allows remote attackers to cause a denial of service, resulting in the named server exiting, by sending crafted DNS packets that cause an internal consistency test to fail. **Recommendations** For BIND version 9.3.0, consider disabling DNSSEC until a patch is available to prevent the denial of service. Additionally, restrict access to the `authvalidated` validator function to minimize the risk of exploitation.