<itemizedlist>
<listitem>
<para>
- Duplicate EDNS COOKIE options in a response could trigger
- an assertion failure. This flaw is disclosed in CVE-2016-2088.
- [RT #41809]
- </para>
- </listitem>
- <listitem>
- <para>
- Insufficient testing when parsing a message allowed
- records with an incorrect class to be be accepted,
- triggering a REQUIRE failure when those records
- were subsequently cached. This flaw is disclosed
- in CVE-2015-8000. [RT #40987]
- </para>
- </listitem>
- <listitem>
- <para>
- Incorrect reference counting could result in an INSIST
- failure if a socket error occurred while performing a
- lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
- </para>
- </listitem>
- <listitem>
- <para>
- An incorrect boundary check in the OPENPGPKEY rdatatype
- could trigger an assertion failure. This flaw is disclosed
- in CVE-2015-5986. [RT #40286]
- </para>
- </listitem>
- <listitem>
- <para>
- A buffer accounting error could trigger an assertion failure
- when parsing certain malformed DNSSEC keys.
- </para>
- <para>
- This flaw was discovered by Hanno Böck of the Fuzzing
- Project, and is disclosed in CVE-2015-5722. [RT #40212]
- </para>
- </listitem>
- <listitem>
- <para>
- A specially crafted query could trigger an assertion failure
- in message.c.
- </para>
- <para>
- This flaw was discovered by Jonathan Foote, and is disclosed
- in CVE-2015-5477. [RT #40046]
- </para>
- </listitem>
- <listitem>
- <para>
- On servers configured to perform DNSSEC validation, an
- assertion failure could be triggered on answers from
- a specially configured server.
- </para>
- <para>
- This flaw was discovered by Breno Silveira Soares, and is
- disclosed in CVE-2015-4620. [RT #39795]
- </para>
- </listitem>
- <listitem>
- <para>
- On servers configured to perform DNSSEC validation using
- managed trust anchors (i.e., keys configured explicitly
- via <command>managed-keys</command>, or implicitly
- via <command>dnssec-validation auto;</command> or
- <command>dnssec-lookaside auto;</command>), revoking
- a trust anchor and sending a new untrusted replacement
- could cause <command>named</command> to crash with an
- assertion failure. This could occur in the event of a
- botched key rollover, or potentially as a result of a
- deliberate attack if the attacker was in position to
- monitor the victim's DNS traffic.
- </para>
- <para>
- This flaw was discovered by Jan-Piet Mens, and is
- disclosed in CVE-2015-1349. [RT #38344]
- </para>
- </listitem>
- <listitem>
- <para>
- A flaw in delegation handling could be exploited to put
- <command>named</command> into an infinite loop, in which
- each lookup of a name server triggered additional lookups
- of more name servers. This has been addressed by placing
- limits on the number of levels of recursion
- <command>named</command> will allow (default 7), and
- on the number of queries that it will send before
- terminating a recursive query (default 50).
- </para>
- <para>
- The recursion depth limit is configured via the
- <option>max-recursion-depth</option> option, and the query limit
- via the <option>max-recursion-queries</option> option.
- </para>
- <para>
- The flaw was discovered by Florian Maury of ANSSI, and is
- disclosed in CVE-2014-8500. [RT #37580]
- </para>
- </listitem>
- <listitem>
- <para>
- Two separate problems were identified in BIND's GeoIP code that
- could lead to an assertion failure. One was triggered by use of
- both IPv4 and IPv6 address families, the other by referencing
- a GeoIP database in <filename>named.conf</filename> which was
- not installed. Both are covered by CVE-2014-8680. [RT #37672]
- [RT #37679]
- </para>
- <para>
- A less serious security flaw was also found in GeoIP: changes
- to the <command>geoip-directory</command> option in
- <filename>named.conf</filename> were ignored when running
- <command>rndc reconfig</command>. In theory, this could allow
- <command>named</command> to allow access to unintended clients.
- </para>
- </listitem>
- <listitem>
- <para>
- Specific APL data could trigger an INSIST. This flaw
- is disclosed in CVE-2015-8704. [RT #41396]
- </para>
- </listitem>
- <listitem>
- <para>
- Certain errors that could be encountered when printing out
- or logging an OPT record containing a CLIENT-SUBNET option
- could be mishandled, resulting in an assertion failure.
- This flaw is disclosed in CVE-2015-8705. [RT #41397]
- </para>
- </listitem>
- <listitem>
- <para>
- Malformed control messages can trigger assertions in named
- and rndc. This flaw is disclosed in CVE-2016-1285. [RT
- #41666]
- </para>
- </listitem>
- <listitem>
- <para>
- The resolver could abort with an assertion failure due to
- improper DNAME handling when parsing fetch reply
- messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
+ None.
</para>
</listitem>
</itemizedlist>