Upstream has released BIND versions 9.9.1-P2, 9.8.3-P2, 9.7.6-P2, and 9.6-ESV-R7-P2 to correct the following flaw: BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. This bug cannot be encountered unless your server is doing DNSSEC validation. 9.4 and 9.5 are also reported to be affected by this flaw; it's likely that 9.3 is as well. External Reference: https://kb.isc.org/article/AA-00729
Created bind tracking bugs for this issue Affects: fedora-all [bug 842900]
Created attachment 600171 [details] patch to correct CVE-2012-3817 This patch is derived from a diff of 9.6-ESV-R7-P1 and -P2. There were two other things fixed in -P2, but I'm pretty certain this is all that is required to correct this flaw, but it should probably be double-checked.
Just to note that bind 9.2.4 (as provided in Red Hat Enterprise Linux 4) is not affected by this issue as it does not contain the vulnerable code.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1122 https://rhn.redhat.com/errata/RHSA-2012-1122.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1123 https://rhn.redhat.com/errata/RHSA-2012-1123.html
bind-9.8.3-3.P2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.9.1-5.P2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.