ISC Information for VU#803539

Multiple vendors' Domain Name System (DNS) stub resolvers vulnerable to buffer overflows



Vendor Statement

All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable.

All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.

The status of BIND 4.8 is unknown, assume that it is vulnerable.

BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.

'named' itself is not vulnerable.

Updated releases can be found at:

BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime please use the original in BIND 8.3.3.

Vendors wishing additional patches should contact
Query about BIND 4 and BIND 8 should be addressed to
Query about BIND 9 should be addressed to

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The resolver library included in BIND 9.2.0 and 9.2.1 is a copy of the vulnerable resolver library included with BIND 8.3.x. In BIND 9, the vulnerable 8.3.x resolver library (libbind) is not built or installed by default unless BIND 9 is configured with the "--enable-libbind" option. BIND 9.2.2 is not vulnerable since it includes the updated resolver library (libbind) from BIND 8.3.3.

ISC has documented this issue on the BIND Vulnerabilities page of the ISC web site under the heading "libbind buffer overflow" and in a status update to the bind-announce mailing list.

If you have feedback, comments, or additional information about this vulnerability, please send us email.