Subject: [ASA-201609-29] bind: denial of service Arch Linux Security Advisory ASA-201609-29 ========================================== Severity: High Date : 2016-09-27 CVE-ID : CVE-2016-2776 Package : bind Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-36 Summary ======= The package bind before version 9.10.4.P3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 9.10.4.P3-1. # pacman -Syu "bind>=9.10.4.P3-1" The problem has been fixed upstream in version 9.10.4.P3. Workaround ========== None. Description =========== Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query'). Impact ====== A remote attacker is able to perform a denial of service attack via a specially crafted request. References ========== https://kb.isc.org/article/AA-01419/0 https://security.archlinux.org/CVE-2016-2776