A flaw was found in the way BIND handled trust anchor management. A remote attacker could use this flaw to cause the BIND daemon (named) to crash under certain conditions.
It was reported that a problem with trust anchor management can cause named to crash, affecting BIND versions 9.7.0+.
ISC developers believe that it will be very difficult for this to be triggered in most cases, requiring DNSSEC validation amongst other factors.
ISC will not be producing patches specifically for BIND 9.8 or BIND 9.6-ESV, both of which are beyond their End of Life (EOL) and are no longer supported by ISC.
Patches that correct this issue for ISC BIND 9.10.1 and ISC BIND 9.9.6 are attached to this Bugzilla.
Created attachment 993044 [details]
Created attachment 993045 [details]
Red Hat would like to thank ISC for reporting this issue.
Looking at bind9-patch-v9_9_6-CVE-2015-1349, and at RHEL code, it appear that RHEL 5 (bind-9.3.6-P1) is not affected by this (does not contain affected code), and both RHEL-6 (bind-9.8.2rc1) and RHEL-7 (bind-9.9.4) are affected by this issue.
There is also bind97 component in RHEL-5 which, according to upstream, is also affected.
setting NEEDINFO due to comment #6
bind-9.9.6-8.P1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.9.4-18.P2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
Via RHSA-2015:0672 https://rhn.redhat.com/errata/RHSA-2015-0672.html
Red Hat Enterprise Linux 5 ships with both bind (9.3) packages which are not affected by this issue, and bind97 packages, which are affected by this issue.
Red Hat Enterprise Linux 5 is now in Production Phase 3 of the support and maintenance life cycle. This issue is not currently planned to be addressed in future bind97 updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.