BIND 9.4.3-P5 is now available. BIND 9.4.3-P5 is a SECURITY PATCH for BIND 9.4.3. It addresses two potential cache poisoning vulnerabilities, both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid. Bugs should be reported to bind9-bugs@isc.org. CVE identifiers: CVE-2009-4022, CVE-2010-0097 CERT advisories: VU#418861, VU#360341 Information about these vulnerabilities can be found at: https://www.isc.org/advisories/CVE-2009-4022 https://www.isc.org/advisories/CVE-2010-0097 BIND 9.4.3-P5 can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz PGP signatures of the distribution are at: ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz.sha512.asc The signatures were generated with the ISC public key, which is available at https://www.isc.org/about/openpgp A binary kit for Windows XP, Windows 2003 and Windows 2008 is at: ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip PGP signatures of the binary kit are at: ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip.sha512.asc Changes since 9.4.3-P4: 2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819] 2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]