BIND 9 Security Vulnerability Matrix - 9.11
  • 18 May 2022
  • 9 Minutes to read
  • Contributors
  • PDF

BIND 9 Security Vulnerability Matrix - 9.11

  • PDF

Article summary

The BIND versions listed in this article are EOL
This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.11 branch during (or very shortly after) its lifetime. It is almost certain that it will be affected by some vulnerabilities discovered after the EOL date (March 2022) but those will not be listed here.

This article has two parts:

  • The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org. The third column is a short description of the vulnerability, linked (where possible) to our Knowledgebase article on the vulnerability.
  • The second part is a table listing all of the releases in this branch along the side and vulnerabilities along the top. If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it. If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

See the matrix for current branches for more information about how to interpret these tables.

We do not generally list alpha, beta, or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

Using obsolete versions of BIND
We recommend that you not use obsolete versions of any ISC software. It was updated for a reason.

Listing of Vulnerabilities affecting BIND 9.11

# CVE Number Short Description
129 2022-1183 Destroying TLS session early triggers assertion failure
128 2022-0667 Assertion failure on delayed DS lookup
127 2022-0635 DNAME insist with synth-from-dnssec enabled
126 2022-0396 DoS from specifically crafted TCP packets
125 2021-25220 DNS forwarders - cache poisoning vulnerability
124 2021-25219 Lame cache can be abused to severely degrade resolver performance
123 2021-25218 A too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use
122 2021-25216 A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
121 2021-25215 Crash while answering queries for DNAME records that require the DNAME to be processed to resolve itself
120 2021-25214 A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly
119 2020-8625 A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
118 2020-8624 update-policy" rules of type "subdomain" are enforced incorrectly
117 2020-8623 A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c
116 2020-8622 A truncated TSIG response can lead to an assertion failure
115 2020-8621 Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c"
114 2020-8620 A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
113 2020-8619 An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c
112 2020-8618 A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer
111 2020-8617 A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c
110 2020-8616 BIND does not sufficiently limit the number of fetches when chasing referrals
109 2019-6477 TCP-pipelined queries can bypass tcp-clients limit
108 2019-6476 An error in QNAME minimization code can cause BIND to exit with an assertion failure
107 2019-6475 A flaw in mirror zone validity checking can allow zone data to be spoofed
106 2019-6471 A race condition when discarding malformed packets can cause BIND to exit with an assertion failure
105 2019-6469 BIND Supported Preview Edition can exit with an assertion failure if ECS is in use
104 2019-6468 BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used
103 2019-6467 An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c
102 2018-5743 Limiting simultaneous TCP clients is ineffective
101 2019-6465 Zone transfer controls for writable DLZ zones were not effective
100 2018-5745 An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
99 2018-5744 A specially crafted packet can cause named to leak memory
98 2018-5741 Update policies krb5-subdomain and ms-subdomain do not enforce controls promised in their documentation
97 2018-5740 A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named
96 2018-5738 Some versions of BIND can improperly permit recursive query service to unauthorized clients
95 2018-5737 BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled
94 2018-5736 Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c
93 2018-5734 A malformed request can trigger an assertion failure in badcache.c
92 2017-3145 Improper fetch cleanup sequencing in the resolver can cause named to crash
91 2017-3143 An error in TSIG handling can permit unauthorized dynamic updates
90 2017-3142 An error in TSIG handling can permit unauthorized zone transfers
89 2017-3141 Windows service and uninstall paths are not quoted when BIND is installed
88 2017-3140 An error processing RPZ rules can cause named to loop endlessly after handling a query
87 2017-3139 [Red Hat] assertion failure in DNSSEC validation
86 2017-3138 named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
85 2017-3137 A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
84 2017-3136 An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"
83 2017-3135 Combination of DNS64 and RPZ Can Lead to Crash
82 2016-9778 An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c
81 2016-9444 An unusually-formed DS record response could cause an assertion failure
80 2016-9147 An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure
79 2016-9131 A malformed response to an ANY query can cause an assertion failure during recursion
78 2016-8864 A problem handling responses containing a DNAME answer can lead to an assertion failure
Why don't the reference numbers begin at 1?
Our reference numbering started with BIND 8. We have since separated the information for BIND 8 and also obsolete branches of BIND 9. To reduce the possibility of confusion when referring to the individual pages we have chosen to maintain uniform numbering across all of them matching the historic numbering, including gaps where some reports affected only BIND 8. As major branches of BIND have reached EOL (End of Life), the lowest numbered vulnerability affecting our current versions has increased. Issues only affecting obsolete branches of BIND have been moved to a separate section later in this KB.

BIND 9.11

(EOL March 2022; final matrix update 2022-05-18)

ver/CVE 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
9.11.37
9.11.36 +
9.11.35 + +
9.11.34 + +
9.11.33 + +
9.11.32 + +
9.11.31 + +
9.11.30 + +
9.11.29 + + + + +
9.11.28 + + + + +
9.11.27 + + + + + +
9.11.26 + + + + + +
9.11.25 + + + + + +
9.11.24 + + + + + +
9.11.23 + + + + + +
9.11.22 + + + + + +
9.11.21 + + + + + + + + +
9.11.20 + + + + + + + + +
9.11.19 + + + + + + + + + +
9.11.18 + + + + + + + + + + + +
9.11.17 + + + + + + + + + + + +
9.11.16 + + + + + + + + + + + +
9.11.15 + + + + + + + + + + + +
9.11.14 + + + + + + + + + + + +
9.11.13 + + + + + + + + + + +
9.11.12 + + + + + + + + + + + +
9.11.11 + + + + + + + + + + + +
9.11.10 + + + + + + + + + + + +
9.11.9 + + + + + + + + + + + +
9.11.8 + + + + + + + + + + + +
9.11.7 + + + + + + + + + + + + +
9.11.6-P1 + + + + + + + + + + + + +
9.11.6 + + + + + + + + + + + + +
9.11.5-P4 + + + + + + + + + + + + +
9.11.5-P1 + + + + + + + + + + + + + + + +
9.11.5 + + + + + + + + + + + + + + + +
9.11.4-P2 + + + + + + + + + + + + + + + +
9.11.4-P1 + + + + + + + + + + + + + + + + +
9.11.4 + + + + + + + + + + + + + + + + + +
9.11.3 + + + + + + + + + + + + + + + + + +
9.11.2-P1 + + + + + + + + + + + + + + + +
9.11.2 + + + + + + + + + + + + + + + + +
9.11.1-P2 + + + + + + + + + + + + + + + + +
9.11.1-P1 + + + + + + + + + + + + + + + + + + +
9.11.1 + + + + + + + + + + + + + + + + + + + + +
9.11.0-P5 + + + + + + + + + + + + + + + + + + + + +
9.11.0-P4 + + + + + + + + + + + + + + + + + + + + + +
9.11.0-P3 + + + + + + + + + + + + + + + + + + + + + + + +
9.11.0-P2 + + + + + + + + + + + + + + + + + + + + + + + +
9.11.0-P1 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
9.11.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + +