CVE-2023-5679: 
NixOS vulnerability analysis and mitigation

CVE-2023-5679 is a vulnerability in BIND 9 that was disclosed on February 13, 2024. The vulnerability occurs due to a bad interaction between DNS64 and serve-stale features, which can cause the named service to crash with an assertion failure during recursive resolution when both features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1 (ISC Advisory).

The vulnerability is caused by a problematic interaction between two BIND features: DNS64 (which enables DNS64 synthesis for IPv6-only networks) and serve-stale (which allows serving stale cache data when authoritative servers are unavailable). When both features are enabled simultaneously, the named service can encounter an assertion failure during recursive resolution. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition by causing the named service to crash. This affects the availability of DNS resolution services for systems using the affected BIND versions with both DNS64 and serve-stale features enabled (NetApp Advisory).

The vulnerability has been fixed in newer versions of BIND 9. Organizations running affected versions should upgrade to BIND 9.16.48, 9.18.24, or 9.19.21 or later versions. Multiple Linux distributions including Fedora and Ubuntu have released security updates to address this vulnerability (Fedora Update).