Yuval Shavitt

**Name of the Vulnerable Software and Affected Versions** BIND 9 versions 9.0.0 through 9.16.45 BIND 9 versions 9.18.0 through 9.18.21 BIND 9 versions 9.19.0 through 9.19.19 BIND 9 versions 9.9.3-S1 through 9.11.37-S1 BIND 9 versions 9.16.8-S1 through 9.16.45-S1 BIND 9 versions 9.18.11-S1 through 9.18.21-S1 **Description** The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. A remote attacker could exploit this vulnerability to trigger an assertion failure by querying RFC 1918 reverse zones. **Recommendations** For BIND 9 versions 9.0.0 through 9.16.45, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.18.0 through 9.18.21, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.19.0 through 9.19.19, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.9.3-S1 through 9.11.37-S1, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.16.8-S1 through 9.16.45-S1, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.18.11-S1 through 9.18.21-S1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the `named` instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BIND 9 versions 9.11.0 through 9.16.41 BIND 9 versions 9.18.0 through 9.18.15 BIND 9 versions 9.19.0 through 9.19.13 BIND 9 versions 9.11.3-S1 through 9.16.41-S1 BIND 9 versions 9.18.11-S1 through 9.18.15-S1 **Description** The effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This can lead to a denial of service, caused by a flaw that allows the named's configured cache size limit to be significantly exceeded, potentially exhausting all memory on the host. **Recommendations** For BIND 9 versions 9.11.0 through 9.16.41, update to a version that includes a fix for this issue. For BIND 9 versions 9.18.0 through 9.18.15, update to a version that includes a fix for this issue. For BIND 9 versions 9.19.0 through 9.19.13, update to a version that includes a fix for this issue. For BIND 9 versions 9.11.3-S1 through 9.16.41-S1, update to a version that includes a fix for this issue. For BIND 9 versions 9.18.11-S1 through 9.18.15-S1, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the `named` instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11.5 **Description** The issue is related to the lack of protection for internal data in the Tcl component of the operating system. It can be exploited by a remote attacker to obtain sensitive information by leveraging SSLv2 support. **Recommendations** For Apple OS X versions prior to 10.11.5, update to version 10.11.5 or later to resolve the issue. As a temporary workaround, consider disabling SSLv2 support to minimize the risk of exploitation.