cve-2011-2464 affected the 9.4-ESV-R4-P1?

Evan Hunt each at
Tue Jul 5 20:06:19 UTC 2011

> on the ISC website i don't see that the 9.4-ESV-R4-P1 is affected by the
> CVE-2011-2464 is it because it's not really affected? or it's affected
> but i don't see it on "versions affected" because the 9.4-ESV-R4-P1 has
> it's EOL date to jun2011.

To be very precise with my language:  It is not *exposed*.

The issue has two layers.  First, there's an underlying bug that's been
dormant in our code for a very long time, but there was no way to trigger
it... and, second, there's the trigger.  Actually, there are two separate
triggers: one was introduced in 9.6 and another in 9.7.  Neither of
them is in any version of 9.4.

So, we *will* be releasing 9.4-ESV-R5 soon, and it contains a fix for the
underlying bug.  But we didn't release a patch today because there's no

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list