CVE-2017-3145

NameCVE-2017-3145
DescriptionBIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1255-1, DSA-4089-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)bullseye1:9.16.50-1~deb11u2fixed
bullseye (security)1:9.16.50-1~deb11u1fixed
bookworm, bookworm (security)1:9.18.28-1~deb12u2fixed
trixie1:9.20.4-2fixed
sid1:9.20.4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9sourcewheezy1:9.8.4.dfsg.P1-6+nmu2+deb7u19DLA-1255-1
bind9sourcejessie1:9.9.5.dfsg-9+deb8u15DSA-4089-1
bind9sourcestretch1:9.10.3.dfsg.P4-12.3+deb9u4DSA-4089-1
bind9source(unstable)1:9.11.2.P1-1

Notes

https://kb.isc.org/article/AA-01542
Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=053b51c4dbd28f6e4de71ce4268a6f606025d76d
Fixed by (9.10.6-P1): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=55baf7d7e25c0e6444cb7e415f14d9e0819b5508

Search for package or bug name: Reporting problems