BIND Vulnerability Matrix

The BIND Vulnerability Matrix is a tool to help DNS operators understand the current security risk. It has to parts, the bottom table list the vulnerability number and cross references to the CVE (Common Vulnerabilities and Exposure). For example, if you use the bottom table to look up CVE-2009-0696, you will see that cross references to #31. You can follow #31 down the chart and see that all the version that are vulnerable. If you were still running BIND 9.3.6-P1 you would know to upgrade. It is vulnerable to CVE-2009-0696.

We do not list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

A patch release (one ending in -Pn) that is not listed in this chart is one that we recommend that you not use.

Vulnerability information for older versions of BIND is on this page.

ver/CVE	21	22	23	24	25	26	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44
9.8.1
9.8.0-P4
9.8.0-P3																						+
9.8.0-P2																						+	+
9.8.0-P1																					+	+	+
9.8.0																				+	+	+	+
9.7.4
9.7.3-P3
9.7.3-P2																						+
9.7.3-P1																						+
9.7.3																					+	+
9.7.2-P3																			+		+	+
9.7.2-P2														+	+	+	+	+	+		+	+
9.7.2-P1														+	+	+		+	+		+	+
9.7.2														+	+	+		+	+		+	+
9.7.1-P2															+	+		+	+		+	+
9.7.1-P1													+		+	+		+	+		+	+
9.7.1													+		+	+		+	+		+	+
9.7.0-P2															+	+		+				+
9.7.0-P1															+	+		+				+
9.7.0															+	+		+				+
9.6-ESV-R5
9.6-ESV-R4-P3
9.6-ESV-R4-P2																						+
9.6-ESV-R4-P1																						+
9.6-ESV-R4																					+	+
9.6-ESV-R3																					+
9.6-ESV-R2																+		+			+
9.6-ESV-R1																+		+
9.6-ESV																+		+
9.6.3																+		+			+
9.6.2-P3																+		+
9.6.2-P2																+		+
9.6.2-P1																+		+
9.6.2																+		+
9.6.1-P3																+		+
9.6.1-P2																+		+
9.6.1-P1											+	+				+		+
9.6.1										+	+	+				+		+
9.6.0-P1										+	+	+				+		+
9.6.0									+	+	+	+				+		+
9.5.2-P2																+		+
9.5.1-P3											+	+				+		+
9.5.1-P1										+	+	+				+		+
9.5.1									+	+	+	+				+		+
9.5.0-P2									+	+	+	+				+		+
9.5.0-P1									+	+	+	+				+		+
9.5.0								+	+	+	+	+				+		+
9.4-ESV-R5
9.4-ESV-R4-P1
9.4-ESV-R4																					+
9.4-ESV-R3																+		+			+
9.4-ESV-R2																+		+
9.4-ESV-R1																+		+
9.4-ESV																+		+
9.4.3-P5																+		+
9.4.3-P3											+	+				+		+
9.4.3-P1										+	+	+				+		+
9.4.3									+	+	+	+				+		+
9.4.2-P1							+		+	+	+	+				+		+
9.4.2							+	+	+	+	+	+				+		+
9.4.1-P1							+	+	+	+	+	+				+		+
9.4.1					+	+	+	+	+	+	+	+				+		+
9.4.0				+	+	+	+	+	+	+	+	+				+		+
9.3.6-P1										+	+	+				+		+
9.3.6									+	+	+	+				+		+
9.3.5-P1									+	+	+	+				+		+
9.3.5								+	+	+	+	+				+		+
9.3.4-P1							+	+	+	+	+	+				+		+
9.3.4						+	+	+	+	+	+	+				+		+
9.3.3		+	+			+	+	+	+	+	+	+				+		+
9.3.2	+	+	+			+	+	+	+	+	+	+				+		+
9.3.1	+	+	+			+	+	+	+	+	+	+				+		+
9.3.0	+	+	+			+	+	+	+	+	+	+				+		+
9.2.8-P1							+	+	+	+	+	+				+		+
9.2.8						+	+	+	+	+	+	+				+		+
9.2.7		+	+			+	+	+	+	+	+	+				+		+
9.2.6		+	+			+	+	+	+	+	+	+				+		+
9.2.5		+	+			+	+	+	+	+	+	+				+		+
9.2.4		+	+			+	+	+	+	+	+	+				+		+
9.2.3		+	+			+	+	+	+	+	+	+				+		+
9.2.2		+	+			+	+	+	+	+	+	+				+		+
9.2.1		+	+			+	+	+	+	+	+	+				+		+
9.2.0		+	+			+	+	+	+	+	+	+				+		+
9.1.3			+			+	+	+	+	+	+	+				+		+
9.1.2			+			+	+	+	+	+	+	+				+		+
9.1.1			+			+	+	+	+	+	+	+				+		+
9.1.0			+			+	+	+	+	+	+	+				+		+
9.0.1			+			+	+	+	+	+	+	+				+		+
9.0.0			+				+	+	+	+	+	+				+		+

Legend

#	CVE number	short description
12	2002-0029	Buffer overflows in resolver library allows execution of arbitrary code.
13	2002-0400	Denial of service via malformed DNS packet.
14	2002-0651	Buffer overflow in resolver code may cause a DoS and arbitrary code execution.
15	2002-1220	Denial of service via request for nonexistent subdomain using large OPT RR.
16	2002-1221	Denial of service via SIG RR elements with invalid expiry times.
17	2003-0914	Cache poisoning via negative responses with a large TTL value.
18	2005-0033	Buffer overflow in recursion and glue code allows denial of service.
19	2005-0034	Denial of service via crafted DNS packets causing internal self-check to fail.
20	2006-4095	Denial of service via certain SIG queries that return multiple RRsets.
21	2006-4096	Denial of service via a flood of recursive queries causing INSIST failure.
22	2007-0493	Denial of service via unspecified vectors that cause "dereference a freed fetch context."
23	2007-0494	Denial of service via ANY query response containing multiple RRsets.
24	2007-2241	Sequence of queries can cause a recursive nameserver to exit.
25	2007-2925	allow-query-cache/allow-recursion default acls not set.
26	2007-2926	cryptographically weak query ids
27	2007-2930	cryptographically weak query ids (BIND 8)
28	2008-0122	inet_network() off-by-one buffer overflow
29	2008-1447	DNS cache poisoning issue
30	2008-5077	DNSSEC issue with DSA and NSEC3DSA algorithms
31	2009-0696	Dynamic Update DoS attack
32	2009-4022	Cache Update From Additional Section
33	2010-0097	DNSSEC validation code could cause bogus NXDOMAIN responses
34	2010-0213	RRSIG query handling bug in BIND 9.7.1
35	2010-0218	Unexpected ACL Behavior in BIND 9.7.2
36	2010-3762	failure to handle bad signatures if multiple trust anchors configured
37	2010-3614	Key algorithm rollover bug in BIND 9
38	2010-3615	allow-query processed incorrectly
39	2010-3613	cache incorrectly allows an ncache entry and an RRSIG for the same type
40	2011-0414	Server lockup upon IXFR or DDNS update combined with high query rate
41	2011-1907	RRSIG queries can trigger server crash when using Response Policy Zones
42	2011-1910	Large RRSIG RRsets and negative caching can crash named
43	2011-2464	remote packet denial of service against authoritative and recursive servers
44	2011-2465	Remote crash with certain RPZ configurations