Fix for CVE-2006-2073

Florian Weimer fw at
Wed Oct 19 17:39:41 UTC 2011

* Mark Andrews:

> Access Vector: Network exploitable
> Access Complexity: Low
> Authentication: Not required to exploit
> Impact Type:Allows disruption of service
> I fail to see how this could ever have been classified as
> Access Complexity: Low.

I believe the CVSS scoring for those old entries was generated
semi-automatically.  There's also very little public information
available about this issue.

> Looking at the CVE it looks like this bug fix contains the correction.
> 2013.   [bug]           Handle unexpected TSIGs on unsigned AXFR/IXFR
>                         responses more gracefully. [RT #15941]
>> What was the first BIND version that fixed it?
> 9.2.7, 9.3.3, 9.4.0.

Thanks, this is helpful.  I've adjusted Debian's records.

More information about the bind-users mailing list