DescriptionThe Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other distributions who did similar backports for the fix for 2017-3137 may also be affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs889285

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)buster1:9.11.5.P4+dfsg-5.1+deb10u7fixed
buster (security)1:9.11.5.P4+dfsg-5.1+deb10u8fixed
bullseye (security)1:9.16.33-1~deb11u1fixed
bookworm, sid1:9.18.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Issue similar/closely related to the CVE-2017-3139 issue in Red Hat.
Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was
added upstream in 9.9.3b1. The issue though does not affect bind9 upstream
and is only triggered as described in #889285.

Search for package or bug name: Reporting problems