CVE-2009-4022

NameCVE-2009-4022
DescriptionUnspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1961-1
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)stretch (security), stretch1:9.10.3.dfsg.P4-12.3+deb9u6fixed
buster, buster (security)1:9.11.5.P4+dfsg-5.1+deb10u1fixed
bullseye, sid1:9.16.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9sourceetch1:9.3.4-2etch6DSA-1961-1
bind9sourcelenny1:9.5.1.dfsg.P3-1+lenny1DSA-1961-1
bind9source(unstable)1:9.6.1.dfsg.P2-1medium

Notes

https://www.isc.org/node/504
Only affects installations with trust anchors, but then the
consequences are quite severe.

Search for package or bug name: Reporting problems