CVE-2022-1183

Name	CVE-2022-1183
Description	On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. Affects BIND 9.18.0 -> 9.18.2 and version 9.19.0 of the BIND 9.19 development branch.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bind9 (PTS)	buster	1:9.11.5.P4+dfsg-5.1+deb10u7	fixed
	buster (security)	1:9.11.5.P4+dfsg-5.1+deb10u8	fixed
	bullseye	1:9.16.33-1~deb11u1	fixed
	bullseye (security)	1:9.16.37-1~deb11u1	fixed
	bookworm	1:9.18.12-1	fixed
	sid	1:9.18.13-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
bind9	source	stretch	(not affected)
bind9	source	buster	(not affected)
bind9	source	bullseye	(not affected)
bind9	source	(unstable)	1:9.18.3-1

Notes

[bullseye] - bind9 <not-affected> (Vulnerable code not present)
[buster] - bind9 <not-affected> (Vulnerable code not present)
[stretch] - bind9 <not-affected> (Vulnerable code not present)
https://kb.isc.org/v1/docs/cve-2022-1183