ISC announced a race condition vulnerability that occurs when discarding malformed packets that can cause BIND to exit with an assertion failure.
As a result of the flaw, “an attacker who can cause a resolver to perform queries [that] will be answered by a server [that] responds with deliberately malformed answers can cause named to exit, denying service to clients,” according to a June 19 security notice.
The vulnerability is remotely exploitable with a CVSS Score of 5.9 and a “Medium” severity rating. The issue can be patched by upgrading to the patched release most closely related to the user’s current version of BIND.
Researchers recommend users update their systems to the patched release most closely related to their current version of BIND which may include BIND 9.11.8, BIND 9.12.4-P2, BIND 9.14.3 or BIND 9.15.1.