About CVE-2015-5477 ("An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure")

[Michael McNally]

As the security incident manager for this particular vulnerability
notification, I'd like to say a little extra, beyond our official
vulnerability disclosure (https://kb.isc.org/article/AA-01272)
about this critical defect in BIND.

Many of our bugs are limited in scope or affect only users having
a particular set of configuration choices.  CVE-2015-5477 does not
fall into that category.  Almost all unpatched BIND servers are
potentially vulnerable.  We know of no configuration workarounds.
Screening the offending packets with firewalls is likely to be
difficult or impossible unless those devices understand DNS at a
protocol level and may be problematic even then.  And the fix for
this defect is very localized to one specific area of the BIND code.

The practical effect of this is that this bug is difficult to defend
against (except by patching, which is completely effective) and will
not be particularly difficult to reverse-engineer.  I have already
been told by one expert that they have successfully reverse-engineered
an attack kit from what has been divulged and from analyzing the code
changes, and while I have complete confidence that the individual who
told me this is not intending to use his kit in a malicious manner,
there are others who will do so who may not be far behind.

Please take steps to patch immediately.  This bug is designated
"Critical" and it deserves that designation.