Quoting the URL:
Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.
Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service.
Servers which are affected may terminate with an assertion failure, causing denial of service to all clients.
Please be advised that ISC publicly announced two critical
vulnerabilities in BIND:
+ CVE-2015-5722 is a denial-of-service vector which can be
exploited remotely against a BIND server that is performing
validation on DNSSEC-signed records. All versions of BIND since
9.0.0 are vulnerable.
+ CVE-2015-5986 is a denial-of-service vector which can be used
against a BIND server that is performing recursion and (under
limited conditions) an authoritative-only nameserver.
Versions of BIND since 9.9.7 and 9.10.2 are vulnerable.
New releases of BIND, including security fixes for these
vulnerabilities, are available:
(as ISC Security Officer)
Additional info: One of the issues also affects key parsing in the command line tools. While the impact is likely low here this means bind-tools is also affected and should be bumped.
bind-9.10.2_p4 has just been added.
(In reply to Christian Ruppert (idl0r) from comment #3)
> bind-9.10.2_p4 has just been added.
Thank you for the version bump
Arches, please stabilize
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
should also be stabilized.
Stable for HPPA PPC64.
Both stable on alpha.
both stable on amd64
openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before
9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE
assertion failure and daemon exit) via a crafted DNS response.
buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before
9.10.2-P4 allows remote attackers to cause a denial of service (assertion
failure and daemon exit) by creating a zone containing a malformed DNSSEC
key and issuing a query for a name in that zone.
Added to an existing GLSA Request.
Waiting on sparc stabilization, GLSA ready for release.
This issue was resolved and addressed in
GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).