It was found that if the lightweight resolver is asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length, the server can terminate due to an error. If configured to use lwres lightweight resolver protocol accepting remote client connections, remote attacker can cause DoS by submitting large query. External Reference: https://kb.isc.org/article/AA-01393/
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1357804]
Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1357805]
bind99-9.9.9-1.P2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.10.4-1.P2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
bind99-9.9.9-1.P2.fc23, dhcp-4.3.3-10.P1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.10.4-1.P2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This flaw in BIND was fixed for RHEL 6.9 in RHBA-2017:0651. https://access.redhat.com/errata/RHBA-2017:0651
Upstream commit: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=38cc2d14e218e536e0102fa70deef99461354232 The following are related documentation-only updates: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=429701008e672edc50d33c83d983ba096fee5f13 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=909d442cc0bed4337760419fa135c98224a79c73
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Extended Update Support Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:2533 https://access.redhat.com/errata/RHSA-2017:2533
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-2775