Comparative Performance Results of BIND Versions in Authoritative Configurations - September 2023
We are only one quarter away from producing the next stable branch of BIND, and from ending maintenance of BIND 9.Read post
The flaw allows remote execution of arbitrary commands by the shell if an attacker can cause data to be passed to the shell as the value of a shell environment variable.
Despite reports to the contrary saying that a 2011 change (CVE-2011-0997) to
dhclient prevents exploitation of this flaw, ISC has confirmed that the DHCP client provided as a part of ISC DHCP can be used to exploit the bash vulnerability if the operator of a rogue DHCP server passes a specially constructed value as the payload of a DHCP option field.
For this and many other reasons, all users running a vulnerable version of bash are advised to update to a secured version as quickly as possible.
Postscript: Readers will naturally want to know whether other ISC products can be used to exploit this condition. We know of no vulnerability in the ISC DHCP server or in BIND 9 that can be used as a vector to exploit the bash flaw. We nevertheless strongly recommend that the best course of action is to upgrade to a secure version of bash due to the seriousness of this flaw.
What's New from ISC