I. Description Six vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers. Vulnerability #1: the "nxt bug" Some versions of BIND fail to properly validate NXT records. This improper validation could allow an intruder to overflow a buffer and execute arbitrary code with the privileges of the name server. NXT record support was introduced in BIND version 8.2. Prior versions of BIND, including 4.x, are not vulnerable to this problem. The ISC-supplied version of BIND corrected this problem in version 8.2.2. Vulnerability #2: the "sig bug" This vulnerability involves a failure to properly validate SIG records, allowing a remote intruder to crash named; see the impact section for additional details. SIG record support is found in multiple versions of BIND, including 4.9.5 through 8.x. Vulnerability #3: the "so_linger bug" By intentionally violating the expected protocols for closing a TCP session, remote intruders can cause named to pause for periods up to 120 seconds. Vulnerability #4: the "fdmax bug" Remote intruders can consume more file descriptors than BIND can properly manage, causing named to crash. Vulnerability #5: the "maxdname bug" Improper handling of certain data copied from the network could allow a remote intruder to disrupt the normal operation of your name server, possibly including a crash. Vulnerability #6: the "naptr bug" Some versions of BIND fail to validate zone information loaded from disk files. In environments with unusual combinations of permissions and protections, this could allow an intruder to crash named.
bind 8.2.2.P5 has been released to resolve this problem - but isn't available from RH as of yet.
We're well aware of those and have released fixed packages several weeks ago. Look at your favorite updates mirror.
Actually 8.2.2P5 *is* available from Red Hat, in Raw Hide. 8.2.2P3 (with a p4 patch applied) is available for older versions in the updates directory on the ftp server. 8.2.2P5 does *NOT* fix any security problems, and does *NOT* have any other important fixes 8.2.2P4 doesn't have, so there's no reason to issue yet another update for the older versions.