Breno Silveira Soares of Servico Federal de Processamento de Dados
(SERPRO) discovered that the BIND DNS server is prone to a denial of
service vulnerability. A remote attacker who can cause a validating
resolver to query a zone containing specifically constructed contents
can cause the resolver to terminate with an assertion failure, resulting
in a denial of service to clients relying on the resolver.
For the oldstable distribution (wheezy), this problem has been fixed
in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u5.
For the stable distribution (jessie), this problem has been fixed in
version 1:9.9.5.dfsg-9+deb8u1.
For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.
We recommend that you upgrade your bind9 packages.