id summary reporter owner description type status priority milestone component version severity resolution keywords cc 14683 Revert to bind-9.16.11 due to regressions Douglas R. Reno Douglas R. Reno "This morning, I received a message from oss-security titled '[oss-security] BIND Operational Notification: Enabling the new BIND option ""stale-answer-client-timeout"" can result in unexpected server termination'. Since we have 9.16.12, we need to apply a patch. First, the contents of the email: {{{ To the packagers and redistributors of BIND -- Regrettably, a problem has been discovered in two of the three public release versions of BIND we issued yesterday (17 February). A change to the serve-stale feature in BIND 9.16.12 and BIND 9.17.10 can cause the server to exit unexpectedly when that feature is in use. Below is a message we shared with subscribers to our bind-announce public list, and I reproduce it here in case any of you did not see it there. To most users we are recommending the use of one of the workarounds listed in the Workarounds section of the accompanying Operational Notification document. As packagers and redistributors of BIND, however, you are generally not in a position to choose your users' config options. We have a couple of recommendations: 1) BIND 9.17.10 is an experiment development release and probably not widely used for building packages. But if you are packaging and/or redistributing BIND 9.16.x and have not yet issued updated packages based on 9.16.12 you might wish to hold off.. HOWEVER, you will have also seen that yesterday we disclosed a vulnerability in that version (CVE-2020-8625.) You might prefer to issue a package based on 9.16.11, since the serve-stale bug is not yet present in that version, but with the patch diff found in https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch applied to correct the CVE-2020-8625 vulnerability. 2) If you already have packages based on 9.16.12, we expect to have a patch ready well before the next maintenance release. A candidate patch is under review now and can be delivered after review and quality assurance testing. If you wish to receive updates on the progress of this patch, please e-mail your request to security-officer@isc.org We're sorry for the mess this creates. Michael McNally (for ISC Security Officer) }}} The patch itself can be found here: [https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4714/diffs?commit_id=26d950a3bd44e8a904186d323e41cddbb75918e2]" enhancement closed normal 10.1 BOOK SVN normal fixed