The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other distributions who did similar backports for the fix for 2017-3137 may also be affected.
Recent assessments:
busterb at October 30, 2019 8:04pm UTC reported:
Probably not that interesting of a bug for an attacker. Basically you can DoS a BIND server. I sort of think most folks using BIND in a critical environment are likely using the ISC releases anyway. It is telling that the bug in this backport appears to have taken a year to discover.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 2