# Significant flaw present in June BIND releases 9.16.17 and 9.17.14



## trev (Jun 18, 2021)

FYI : Do not upgrade !


-------- Forwarded Message --------
Subject:     Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14
Date:     Thu, 17 Jun 2021 19:56:58 -0800
From:     Michael McNally <mcnally@isc.org>
To:     bind-users@lists.isc.org



Dear BIND users:

Yesterday, 16 June 2021, we released monthly maintenance snapshot releases of
our currently supported release branches of BIND.

Specifically, we released BIND 9.11.33, 9.16.17, and 9.17.14

There's no way to say this that isn't embarrassing, but only after the release
was an error in a recently optimized routine discovered by a user -- an error
that will definitely cause operational problems for almost all server operators
who upgrade to either of these affected versions:

- BIND 9.16.17
- BIND 9.17.14

BIND 9.11.33 is NOT affected.

If you have not yet updated to the 16 June releases, we ask that you hold off
on any plans to install 9.16.17 or 9.17.14 until replacement releases can be
prepared and tested.

The specific issue in question is being tracked in our issue tracker:

https://gitlab.isc.org/isc-projects/bind9/-/issues/2779

and more information about our plans for issuing replacement releases will be
provided later; at the moment our priority is getting the news to parties as
quickly as possible so that those who have not already adopted the new releases
can postpone until corrected versions are available.

Michael McNally
Internet Systems Consortium
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


----------



## SirDice (Jun 18, 2021)

Well, that sucks. The version in the ports tree is the "broken" one. So to prevent your install from getting wrecked by this version you can pkg-lock(8) it. That will stop it from getting updates.

dns/bind911
dns/bind916
(9.17 is not available)


----------



## mtu (Jun 18, 2021)

They rolled their own `lowercase()`, and forgot the letter `w`. You have to see it to believe it:









						W or w characters in domain names are altered to "\000" (#2779) · Issues · ISC Open Source Projects / BIND · GitLab
					

Summary We recently upgraded our bind9 from 1:9.16.16-2+ubuntu18.04.1+isc+1 to 1:9.16.17-1+ubuntu21.04.1+isc+1 and start experiencing some wildcard names not being resolved. The resolver...




					gitlab.isc.org
				




Does that count as an off-by-one error?


----------



## SirDice (Jun 18, 2021)

mtu said:


> They rolled their own `lowercase()`, and forgot the letter `w`.






_View: https://www.youtube.com/watch?v=ahrBOvz1jzA_


----------



## SirDice (Jun 19, 2021)

That was quick: https://cgit.freebsd.org/ports/commit/?id=8c6ff6947351e0f8f11db8d19d22aa1857a87811

So, crisis averted.


----------



## Jose (Jun 19, 2021)

mtu said:


> They rolled their own `lowercase()`, and forgot the letter `w`. You have to see it to believe it:
> 
> 
> 
> ...


I've always thought the lettter 'w' was overrated...

All kidding aside... I still have trouble remembering the alphabet. Before you judge me too harshly, keep in mind that English is my second language, and that my first language's alphabet is different.


----------

