Urgent patching required: BIND CVE 2016-2776

2016-09-28 - News - Tony Finch

Yesterday evening, ISC.org announced a denial-of-service vulnerability in BIND's buffer handling. The crash can be triggered even if the apparent source address is excluded by BIND's ACLs (allow-query).

All servers are vulnerable if they can receive request packets from any source.

Most machines on the CUDN are protected to a limited extent from outside attack by the port 53 packet filter. DNS servers that have an exemption are much more at risk.


I am in the process of patching our central DNS servers; you should patch yours too.

(This is another bug found by ISC.org's fuzz testing campaign; they have slowed down a lot since the initial rush that started about a year ago; the last one was in March.)