DescriptionMistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-957-1, DSA-3854-1
Debian Bugs860225

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)bullseye (security), bullseye1:9.16.48-1fixed
bookworm, bookworm (security)1:9.18.24-1fixed
sid, trixie1:9.19.24-185-g392e7199df2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Additional information for backporting patch:
Fixed by (9.10.x):;a=commitdiff;h=69fd759b4aa02047e42e5cf4227f8257c4547988
Fixed by (9.10.x):;a=commitdiff;h=6841d7b854c15df9ec56cab38da201b315bbcabb (reimplentation)
Fixed by (9.10.x):;a=commitdiff;h=7ab9e8e00775782d474522a5b2bffba8daefefa5 (regression fix)

Search for package or bug name: Reporting problems