CVE-2013-2266

Publication date 26 March 2013

Last updated 24 July 2024

Ubuntu priority

libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
bind9	12.10 quantal	Fixed 1:9.8.1.dfsg.P1-4.2ubuntu3.2
	12.04 LTS precise	Fixed 1:9.8.1.dfsg.P1-4ubuntu0.6
	11.10 oneiric	Fixed 1:9.7.3.dfsg-1ubuntu4.6
	10.04 LTS lucid	Fixed 1:9.7.0.dfsg.P1-1ubuntu0.9
	8.04 LTS hardy	Not affected

How can I get the fixes?
What do statuses mean?

Notes

seth-arnold

No patch will be provided for 9.7. The suggested workaround is re-compile without regex support.

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1783-1
Bind vulnerability
29 March 2013

Other references

https://kb.isc.org/article/AA-00871
https://kb.isc.org/article/AA-00879
https://www.cve.org/CVERecord?id=CVE-2013-2266