Security Advisory

Last modified: May 21, 2014

If you suspect you have found a security defect in BIND or DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to get in touch with our Security Officer by selecting the appropriate pull-down on the Bug Report Form.

Alternatively, you can email us at security-officer@isc.org.  However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues so we ask that you please encrypt your communications to us using the ISC Security Officer public key.

Learn more about Security Vulnerability Disclosure Policy at https://kb.isc.org/article/AA-00861/0


Reporting a Bug

  • You may report BIND or DHCP bugs, or request features by using the Bug Report Form.

You may also use email, if you prefer:

  • To report a bug in BIND, other than a security issue, please contact us via bind9-bugs@isc.org
  • To report a bug in ISC DHCP, other than a security issue, please contact us via  dhcp-bugs@isc.org

For listing of security vulnerabilities about BIND 9, visit ISC’s Knowledge Base’s BIND 9 Vulnerabilities Matrix.

As of Oct, 2010 ISC is now using the CVSS, a program of first.org and NIST, to determine the severity of potential security issues.

BIND

Earlier
A specially crafted query sent to a BIND nameserver can cause it to crash with a REQUIRE assertion error. [...]
Wed, May 28, 2014
Source: BIND Security Advisory
A defect in the prefetch feature can cause named to crash when handling some queries. [...]
Mon, May 05, 2014
Source: BIND Security Advisory
This page provides supplemental information for the CVE-2014-0591 Security Advisory (CVE-2014-0591: A Crafted Query Against an NSEC3-signed Zone Can Crash BIND.)What causes [...]
Mon, Jan 13, 2014
Source: BIND Security Advisory
An unintentional defect in the handling of NSEC3-signed zones can cause BIND to be crashed by a specific set of queries. [...]
Mon, Jan 13, 2014
Source: BIND Security Advisory
A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List. [...]
Tue, Nov 05, 2013
Source: BIND Security Advisory

[Complete List]

ISC DHCP

Earlier
A memory exhaustion bug has been discovered in libdns, which is used by ISC DHCP 4.2. Theoretically this could be exploited to cause memory exhaustion in ISC DHCP 4.2. [...]
Mon, Mar 18, 2013
Source: DHCP Security Advisory
Title: Memory Leaks Found In ISC DHCP [...]
Mon, Jul 23, 2012
Source: DHCP Security Advisory
Title: An error in the handling of an unexpected client identifiers can cause a server crash when serving DHCPv6. [...]
Mon, Jul 02, 2012
Source: DHCP Security Advisory
An error in the handling of malformed client identifiers can cause a denial-of-service condition in affected servers. [...]
Mon, Jul 02, 2012
Source: DHCP Security Advisory

[Complete List]