A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the cache. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer having the required properties, after having engineered a scenario whereby an ANY query is sent to the recursive server for the target QNAME. A recursive server will itself only send a query of type ANY if it receives a client query of type ANY for a QNAME for which it has no RRsets at all in cache, otherwise it will respond to the client with the the RRsets that it has available. This vulnerability occurs during the processing of an answer packet received in response to a query. As a result, recursive servers are at the greatest risk; authoritative servers are at risk only to the extent that they perform a limited set of queries. This description is borrowed from the upstream advisory.
Acknowledgments: Name: ISC
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1412459]
Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1412460]
External References: https://kb.isc.org/article/AA-01439
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0062 https://rhn.redhat.com/errata/RHSA-2017-0062.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:1583 https://access.redhat.com/errata/RHSA-2017:1583