BIND bashes bugs

The folk who maintain the ubiquitous BIND DNS server have issued a patch for two bugs, one of them serious.

Most of the time, organisations treat denial-of-service bugs as less serious than, for example, information disclosure or remote code execution bugs.

BIND, however, is special: it's a fundamental part of the Internet infrastructure, so CVE-2016-2776 matters. It allows a crafted query to crash the name server daemon, whether it's running in authoritative, recursive, or forwarding mode.

From ISC: “ A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.

“This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query').”

In the second, CVE-2016-2775, systems configured with the lwresd component enabled can crash processing a long request name.

First discovered in July 2016, the bug is outlined here.

ISC has patched the faults in its distribution; various Linux distros are shipping fixes in their own BIND implementations. ®