CVE-2023-5517

Name	CVE-2023-5517
Description	A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5621-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bind9 (PTS)	jessie, jessie (lts)	1:9.9.5.dfsg-9+deb8u31	fixed
	stretch (security)	1:9.10.3.dfsg.P4-12.3+deb9u12	fixed
	stretch (lts), stretch	1:9.10.3.dfsg.P4-12.3+deb9u16	fixed
	buster, buster (lts)	1:9.11.5.P4+dfsg-5.1+deb10u13	fixed
	buster (security)	1:9.11.5.P4+dfsg-5.1+deb10u11	fixed
	bullseye	1:9.16.50-1~deb11u2	fixed
	bullseye (security)	1:9.16.50-1~deb11u1	fixed
	bookworm (security), bookworm	1:9.18.28-1~deb12u2	fixed
	sid, trixie	1:9.20.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
bind9	source	jessie	(not affected)
bind9	source	stretch	(not affected)
bind9	source	buster	(not affected)
bind9	source	bullseye	1:9.16.48-1	DSA-5621-1
bind9	source	bookworm	1:9.18.24-1	DSA-5621-1
bind9	source	(unstable)	1:9.19.21-1

Notes

[buster] - bind9 <not-affected> (Issue does not affect 9.11.y series)
https://kb.isc.org/docs/cve-2023-5517
[stretch] - bind9 <not-affected> (Vulnerable code not present)
[jessie] - bind9 <not-affected> (Vulnerable code not present)