The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts:
- The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org. The third column is a short description of the vulnerability, linked (where possible) to the article in this Knowledgebase on the vulnerability.
- The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top. If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it. If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.
For example, if you use the top table to look up CVE-2017-3140, you will see that it cross references to #88. You can look for column #88 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.11.1 you would know to upgrade.
We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.
Vulnerability information for EOL (End of Life) versions of BIND 9 (9.0 through 9.10) and below are included only for vulnerabilities discovered before (or in some cases shortly after) the EOL date. These versions are all known to be affected by some vulnerabilities discovered after their EOL date.
Listing of Vulnerabilities affecting current branches of BIND
BIND 9.11 Supported Preview edition
If you'd like more information on our product support or about our BIND Subscription version, please visit https://www.isc.org/bind-subscription-2/.