As per upstream advisory: A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. An attacker who can deliberately trigger the condition on a server with a vulnerable configuration can cause BIND to exit, denying service to other clients.
Acknowledgments: Name: ISC
Statement: The most common bind configuration which is affected by this flaw is, if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.
Mitigation: Exploitation of this defect can be effectively prevented by disabling the nxdomain-redirect feature in the nameserver's configuration.
Created attachment 1557980 [details] Patch against bind-9.12.4-P1
Created attachment 1557981 [details] Patch against bind-9-14-1
External References: https://kb.isc.org/docs/cve-2019-6467
In reply to comment #9: > New security release available: > > https://ftp.isc.org/isc/bind9/9.14.1/RELEASE-NOTES-bind-9.14.1.html Another Release note mentioning CVE-2019-6467 fix: Experimental development branch 9.15.3: https://downloads.isc.org/isc/bind9/9.15.3/RELEASE-NOTES-bind-9.15.3.html