The following flaw, reported by ISC, was found in all versions of BIND 9 (9.0.x -> 9.8.x, 9.9.0->9.9.9-P2, 9.9.3-S1->9.9.9-S3,9.10.0->9.10.4-P2): A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query'). This flaw is fixed in upstream versions 9.9.9-P3 and 9.10.4-P3.
Acknowledgments: Name: ISC
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1379818]
Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1379819]
External References: https://kb.isc.org/article/AA-01419/0
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2016:1945 https://rhn.redhat.com/errata/RHSA-2016-1945.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2016:1944 https://rhn.redhat.com/errata/RHSA-2016-1944.html
An exploit for this flaw is now public. For details see the following links, https://github.com/infobyte/CVE-2016-2776/blob/master/namedown.py https://github.com/rapid7/metasploit-framework/pull/7382 http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html
Upstream commit: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=2bd0922cf995b9ac205fc83baf7e220b95c6bf12
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Red Hat Enterprise Linux 6.6 Extended Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.5 Telco Extended Update Support Via RHSA-2016:2099 https://rhn.redhat.com/errata/RHSA-2016-2099.html