"When a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed."
"When a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check."
"BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.
In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options."
Please bump to 9.16.15.
bind-9.16.15 is available upstreams and compiles as expected.
No glsa for this bug.