BIND: cache incorrectly allows a ncache entry and a rrsig for the same type
Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (INSIST).
CVSS: 7.8 - (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more on CVSS scores and to calculate your environment's specific risk, please visit: CVSS Calculator:
Impact and Risk Assessment:
The INSIST crashes the server.
This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled.
The versions listed below are supported by ISC. All other versions are End of Life, and will not be patched. If you are running a version not listed below, you should upgrade as soon as possible.
- 9.4.x: upgrade to 9.4-ESV-R4, or newer
- 9.6.x: upgrade to 9.6.2-P3 or newer
- 9.6-ESV: upgrade to 9.6-ESV-R3 or newer
- 9.7.x: upgrade to 9.7.2-P3
Acknowledgment: Shinichi Furuso
24 Nov 2010: Corrected/Updated: Versions affected, CVSS Score, Impact and Risk Assessment and Solution
14 Dec 2010: Updated Versions Affected, Solution and Acknowledgement
For more information please contact email@example.com
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC