CVE-2023-2829: 
NixOS vulnerability analysis and mitigation

CVE-2023-2829 affects BIND 9, specifically when a named instance is configured as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (synth-from-dnssec) enabled. The vulnerability was discovered in June 2023 and affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1 (ISC Advisory).

The vulnerability allows remote attackers to terminate the BIND service using a zone with a malformed NSEC record. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NetApp Advisory).

Successful exploitation of this vulnerability results in a Denial of Service (DoS) condition, specifically the remote termination of the affected BIND instance. The vulnerability only impacts availability, with no effect on confidentiality or integrity of the system (NetApp Advisory).

This vulnerability specifically affects the BIND Supported Preview Edition. Many standard distributions of BIND are not affected by this vulnerability. For affected versions, updating to the latest version of BIND that addresses this vulnerability is recommended (ISC Advisory).