SLES 12 has bind 9.9.6-P1, SLE11 similar.

also no opensuse seems affected at this time

bugbot adjusting priority

ISC published this issue.

CVE:                CVE-2015-8461
Document Version:   2.0
Posting date:       15 December 2015
Program Impacted:   BIND
Versions affected:  9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 ->
9.10.3-P1
Severity:           Medium
Exploitable:        Remotely

Description:

   Beginning with the September 2015 maintenance releases 9.9.8 and
   9.10.3, an error was introduced into BIND 9 which can cause a
   server to exit after encountering an INSIST assertion failure
   in resolver.c

Impact:

   An uncommonly occurring condition can cause affected servers to
   exit with an INSIST failure depending on the outcome of a race
   condition in resolver.c  While difficult to exploit reliably, a
   malicious party could, through deliberate behavior, significantly
   increase the probability of encountering the triggering condition,
   resulting in denial-of-service to clients if successful.

CVSS Score:         5.4
CVSS Vector:        (AV:N/AC:H/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C)

Workarounds:        None.
Active exploits:    None known.

Solution:

   Upgrade to the patched release most closely related to your
   current version of BIND. Public open-source branches can be
   downloaded from http://www.isc.org/downloads.

     BIND 9 version 9.9.8-P2
     BIND 9 version 9.10.3-P2

   BIND 9 Supported Preview edition is a feature preview version
   of BIND provided exclusively to eligible ISC Support customers.

     BIND 9 version 9.9.8-S3


Acknowledgements:

   ISC would like to thank John O'Brien of the University of
   Pennsylvania for discovering this issue.

Document Revision History:

   1.0 Advance Notification 8 December 2015
   2.0 Public Disclosure, 15 December 2015

Related Documents:

   See our BIND9 Security Vulnerability Matrix at
   https://kb.isc.org/article/AA-00913 for a complete listing of
   Security Vulnerabilities and versions affected.

If you'd like more information on ISC Subscription Support and
Advance Security Notifications, please visit http://www.isc.org/support/.

Do you still have questions?  Questions regarding this advisory
should go to security-officer@isc.org.  To report a new issue,
please encrypt your message using security-officer@isc.org's PGP
key which can be found here:
   https://www.isc.org/downloads/software-support-policy/openpgp-key/.
If you are unable to use encrypted email, you may also report new
issues at: https://www.isc.org/community/report-bug/.

Note:

   ISC patches only currently supported versions. When possible we
   indicate EOL versions affected.  (For current information on
   which versions are actively supported, please see
   http://www.isc.org/downloads/).

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can
   be found here: https://kb.isc.org/article/AA-00861

This Knowledge Base article https://kb.isc.org/article/AA-01319 is
the complete and official security advisory document.

(In reply to Marcus Meissner from comment #1)
> SLES 12 has bind 9.9.6-P1, SLE11 similar.
> 
> also no opensuse seems affected at this time

Yes, this bug only existed for a few months and we haven't used the affected releases anywhere.

this only affected upstream bind and not SUSEs.