bind: bind9: DNS-over-HTTPS implementation suffers from multiple issues under heavy query load

A flaw was found in BIND 9. By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections. This issue could significantly impair the resolver's...

bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources

A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host. This vulnerability applies only for systems where DNSSE...

CLSA-2024-1725471213 Fix CVE(s): CVE-2024-1975

SECURITY UPDATE: Client can exhaust resolver CPU resources by sending a stream of SIG0 signed requests - debian/patches/CVE-2024-1975.patch: Remove support for SIG0 message verification. - CVE-2024-1975...

OESA-2024-1971 bind security update

BIND Berkeley Internet Name Domain is an implementation of the DNS Domain Name System protocols. BIND includes a DNS server named, which resolves host names to IP addresses; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server ...

CLSA-2022-1670518442 Fix CVE(s): CVE-2016-6170, CVE-2016-2775

SECURITY UPDATE: degrade resolver performance and possibly DoS - debian/patches/CVE-2016-2775.patch: fix possible infinite loop in lwresd due to a long query name - CVE-2016-2775 SECURITY UPDATE: improper restriction of zone size limit - debian/patches/CVE-2016-6170.patch: allow the maximum numbe...