CVE-2016-2848 has been disclosed.

[Michael McNally <mcnally () isc org>]

Last week we notified the related list, distros () vs openwall org,
about CVE-2016-2848, a vulnerability found in ISC BIND releases
produced before change #3548, which first appeared in May 2013.

Although all of ISC's BIND releases since that date have been immune
to the vulnerability, several OS distribution packagers were
maintaining BIND packages which were forked from ISC's
source line before that change and so we notified that
list to give packagers warning before our public disclosure of
the vulnerability.

As we previously announced it was our intention to do,
we have publicly disclosed CVE-2016-2848 today.

Since information concerning the vulnerability, including
a reproduction script, exists in a public bug repository
we urge you to update vulnerable binary packages as soon
as possible.

Thank you.  The official copy of our vulnerability announcement
can be found here:  https://kb.isc.org/article/AA-01433/74/CVE-2016-2848

Michael McNally
ISC Security Officer

Attachment: signature.asc
Description: OpenPGP digital signature