CVE-2016-2775

Published: 19 July 2016

ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
bind9
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1:9.11.2.P1-1ubuntu3)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:9.11.2.P1-1ubuntu3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:9.11.2.P1-1ubuntu3)
Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/38cc2d14e218e536e0102fa70deef99461354232
Binaries built from this source package are in Universe and so are supported by the community.

Notes

AuthorNote
mdeslaur
only if lwres is configured (not the default)
lwresd package is in universe

References