pkg:Alpine/bind

All known vulnerabilities

• CRITICAL9.8CVE-2026-3593A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.
  from 0, < 9.18.49-r0
• CRITICAL9.8CVE-2021-25216In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Previe…
  from 0, < 9.16.15-r0
• HIGH8.6In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to p…
  from 0, < 9.18.41-r0
• HIGH8.6bind9 - security update
  from 0, < 9.18.41-r0
• HIGH8.6A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.
  from 0, < 9.20.11-r0
• HIGH8.6bind9 - security update
  from 0, < 9.14.12-r0
• HIGH8.2The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.
  from 0, < 9.16.33-r0
• HIGH8.1bind9 - security update
  from 0, < 9.16.11-r2
• HIGH7.8The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file…
  from 0, < 9.11.3-r0
• HIGH7.5Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `C…
  from 0, < 9.18.49-r0
• HIGH7.5BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when re…
  from 0, < 9.18.49-r0
• HIGH7.5A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain.
  from 0, < 9.20.21-r0
• HIGH7.5bind9 - security update
  from 0, < 9.18.47-r0
• HIGH7.5bind9 - security update
  from 0, < 9.18.44-r0
• HIGH7.5Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion.
  from 0, < 9.18.41-r0
• HIGH7.5If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only al…
  from 0, < 9.20.11-r0
• HIGH7.5When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it.
  from 0, < 9.18.37-r0
• HIGH7.5Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traff…
  from 0, < 9.18.33-r0
• HIGH7.5bind9 - security update
  from 0, < 9.18.33-r0
• HIGH7.5Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion fa…
  from 0, < 9.18.31-r0
• HIGH7.5If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed do…
  from 0, < 9.18.31-r0
• HIGH7.5bind9 - security update
  from 0, < 9.18.31-r0
• HIGH7.5A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress.
  from 0, < 9.18.31-r0
• HIGH7.5The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a de…
  from 0, < 9.16.48-r0
• HIGH7.5pdns-recursor - security update
  from 0, < 9.16.48-r0
• HIGH7.5To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database.
  from 0, < 9.16.48-r0
• HIGH7.5A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both…
  from 0, < 9.16.48-r0
• HIGH7.5A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is conf…
  from 0, < 9.16.48-r0
• HIGH7.5bind9 - security update
  from 0, < 9.16.48-r0
• HIGH7.5A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure.
  from 0, < 9.18.19-r0
• HIGH7.5bind9 - security update
  from 0, < 9.16.44-r0
• HIGH7.5If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-t…
  from 0, < 9.16.42-r0
• HIGH7.5This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, conf…
  from 0, < 9.16.37-r0
• HIGH7.5BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer…
  from 0, < 9.16.37-r0
• HIGH7.5bind9 - security update
  from 0, < 9.16.37-r0
• HIGH7.5By sending specific queries to the resolver, an attacker can cause named to crash.
  from 0, < 9.16.33-r0
• HIGH7.5By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak.
  from 0, < 9.16.33-r0
• HIGH7.5By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak.
  from 0, < 9.16.33-r0
• HIGH7.5An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources.
  from 0, < 9.16.33-r0
• HIGH7.5In BIND 9.16.19, 9.17.16.
  from 0, < 9.16.20-r0
• HIGH7.5In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview…
  from 0, < 9.16.15-r0
• HIGH7.5In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition…
  from 0, < 9.16.6-r0
• HIGH7.5In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who…
  from 0, < 9.16.6-r0
• HIGH7.5In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server and send data on that connection…
  from 0, < 9.16.6-r0
• HIGH7.5With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via T…
  from 0, < 9.14.8-r0
• HIGH7.5There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode.
  from 0, < 0
• HIGH7.5A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral ra…
  from 0, < 9.14.7-r0
• HIGH7.5Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers.
  from 0, < 9.14.7-r0
• HIGH7.5A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-…
  from 0, < 9.14.1-r0
• HIGH7.5A failure to free memory can occur when processing messages having a specific combination of EDNS options.
  from 0, < 9.12.3_p4-r0
• HIGH7.5bind9 - security update
  from 0, < 9.14.1-r0
• HIGH7.5bind9 - security update
  from 0, < 9.12.2_p1-r0
• HIGH7.5Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which cli…
  from 0, < 9.12.2_p1-r0
• HIGH7.5A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-…
  from 0, < 9.12.1_p2-r0
• HIGH7.5bind9 - security update
  from 0, < 9.11.2_p1-r0
• HIGH7.5Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lea…
  from 0, < 9.11.0_p5-r0
• HIGH7.5named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of se…
  from 0, < 9.10.4_p5-r0
• HIGH7.5named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and…
  from 0, < 9.10.4_p5-r0
• HIGH7.5bind9 - security update
  from 0, < 9.10.4_p5-r0
• HIGH7.5bind9 - security update
  from 0, < 9.10.4_p4-r0
• HIGH7.5buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses…
  from 0, < 9.10.4_p3
• MEDIUM6.8bind9 - security update
  from 0, < 9.16.27-r0
• MEDIUM6.5Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record.
  from 0, < 9.20.21-r0
• MEDIUM6.5bind9 - security update
  from 0, < 9.16.15-r0
• MEDIUM6.5bind9 - security update
  from 0, < 9.16.6-r0
• MEDIUM6.5To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called u…
  from 0, < 9.11.5-r0
• MEDIUM5.9Undefined behavior may result due to a race condition leading to a use-after-free violation.
  from 0, < 9.18.49-r0
• MEDIUM5.9Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or…
  from 0, < 9.14.12-r0
• MEDIUM5.9A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatc…
  from 0, < 9.14.3-r0
• MEDIUM5.9An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the…
  from 0, < 9.10.4_p8-r1
• MEDIUM5.9If named is configured to use Response Policy Zones (RPZ) an error processing some rule types can lead to a condition where BIND will endle…
  from 0, < 9.11.3-r0
• MEDIUM5.9bind9 - security update
  from 0, < 9.11.0_p5-r0
• MEDIUM5.9bind9 - security update
  from 0, < 9.10.4_p6-r0
• MEDIUM5.4A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0).
  from 0, < 9.20.21-r0
• MEDIUM5.3An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenti…
  from 0, < 9.18.49-r0
• MEDIUM5.3BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack.
  from 0, < 9.18.49-r0
• MEDIUM5.3If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for th…
  from 0, < 9.16.48-r0
• MEDIUM5.3bind9 - security update
  from 0, < 9.16.33-r0
• MEDIUM5.3BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition.
  from 0, < 9.16.27-r0
• MEDIUM5.3bind9 - security update
  from 0, < 9.16.27-r0
• MEDIUM5.3Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: B…
  from 0, < 9.12.3_p4-r0
• MEDIUM5.3An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND atte…
  from 0, < 9.12.1_p2-r0
• MEDIUM5.3named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a contr…
  from 0, < 9.11.0_p5-r0
• MEDIUM4.9bind9 - security update
  from 0, < 9.16.4-r0
• MEDIUM4.9An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failur…
  from 0, < 9.16.4-r0
• MEDIUM4.9bind9 - security update
  from 0, < 9.12.3_p4-r0
• MEDIUM4.3In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.1…
  from 0, < 9.16.6-r0
• LOW3.7bind9 - security update
  from 0, < 9.10.4_p8-r1