A new version of BIND is available to address two vulnerabilities
disclosed today: CVE-2018-5736 and CVE-2018-5737; see the respective
messages on this mailing list or consult the ISC Knowledge Base

Only two releases in the BIND 9.12 branch were affected by these
vulnerabilities and BIND 9.12.1-P2 corrects both issues.  The new
release can be found via our software download page:


Finally, a word of apology for the awkward timing of this diclosure.
At ISC we usually try to avoid the very beginning or end of the week
for our vulnerability disclosures because time zone factors can make
those times particularly awkward for operators in other parts of the
world.  In this particular instance we had originally scheduled our
disclosure for Wednesday (16 May) but were forced to delay the
release when a last-minute flaw was found in BIND 9.12.1-P1, leading
to its withdrawal and replacement with BIND 9.12.1-P2.  Unfortunately
the vulnerabilities were partly disclosed at that stage and we
decided that the safest course was to proceed as directly as possible
to public disclosure, rather than risk a leak.  We do regret the
inconvenience that will be incurred by server operators due to the
timing of this announcement.

Michael McNally
ISC Security Officer

bind-announce mailing list

Reply via email to