Micha Krause

**Name of the Vulnerable Software and Affected Versions** ISC BIND versions prior to 9.4.3-P3 ISC BIND versions prior to 9.5.1-P3 ISC BIND versions prior to 9.6.1-P1 liblwres40 (affected versions not specified) libisccfg40 (affected versions not specified) libisc45 (affected versions not specified) libisccc40 (affected versions not specified) libdns45 (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in the ISC BIND software and various Debian GNU/Linux packages, which can lead to a denial of service. The vulnerabilities can be exploited remotely. Specifically, the dns db findrdataset function in db.c in named in ISC BIND, when configured as a master server, allows remote attackers to cause a denial of service via an ANY record in the prerequisite section of a crafted dynamic update message. This type of attack has been exploited in the wild. **Recommendations** For ISC BIND versions prior to 9.4.3-P3, update to version 9.4.3-P3 or later. For ISC BIND versions prior to 9.5.1-P3, update to version 9.5.1-P3 or later. For ISC BIND versions prior to 9.6.1-P1, update to version 9.6.1-P1 or later. For liblwres40, libisccfg40, libisc45, libisccc40, and libdns45, at the moment, there is no information about a newer version that contains a fix for this vulnerability.