Domain name servers are used to match domain names to numerical IP addresses, with the vast majority of these running BIND; the software essentially "runs the Internet".
The Internet Software Consortium (ISC), the group responsible for maintaining the software, released a new version of BIND on Monday, with their website billing it as a maintenance release.
"BIND 9.2.2 is the latest release of BIND 9. It is a maintenance release, containing fixes for a number of bugs in 9.2.0 but no new features," it says.
But digging deeper, it's apparent that BIND 9.2.1, the previous version, is vulnerable to a remote buffer overflow bug if it was installed with the "libbind" non-default option. The previous versions may also be vulnerable to problems associated with the commonly used OpenSSL library, but once again this is a non-default installation option and has more to do with the SSL library than BIND itself.
Johannes Ullrich, chief technology officer of the SANS Institute's Internet Storm Center, says that ISC hasn't given the issue the attention it deserves and is at a loss to explain why the group has yet to release an advisory.
"It's so hidden, that's what I don't get. You basically have to know it's there [information on the vulnerability] to find it. It's [the new release] labeled as a maintenance release with no urgent need to upgrade," he said.
Ulrich says that although the security glitch isn't high risk - he rates it as medium - ISC should be "assisting in rating the seriousness of the vulnerability" and the software consortium should "basically do a better PR job by notifying people to the urgency of the release".
"We still don't know enough about it," he added.
Melbourne based security consultant Adam Pointon agrees, and says that ISC should release a detailed advisory on the issue simply to clarify the situation.
"I think they should because the vendors are going to be confused as well as the normal users... no normal users will know about this problem yet," he said.
Ulrich says that the libbind vulnerability may have in fact been indirectly known about for a while now. Confusion about which code was used in which version has lead to uncertainty in regard to which vulnerability effects which version of BIND.
"In hindsight it was known since the beginning. That libbind thing is the last of the shared code between [versions] 8 and 9," he said.
Version 9 was more or less a complete re-write of version 8, and is generally regarded as being a lot more secure.
djbdns offers better security on Linux/Unix