Update to version 9.6.1-P1 which addresses a remote DoS vulnerability:

Receipt of a specially-crafted dynamic update message may
	cause BIND 9 servers to exit. This vulnerability affects all
	servers -- it is not limited to those that are configured to
	allow dynamic updates. Access controls will not provide an
	effective workaround.

More details can be found here: https://www.isc.org/node/474

All BIND users are encouraged to update to a patched version ASAP.

Approved by:	re (re -> SO -> dougb)

contrib/bind9/CHANGES

@@ -1,3 +1,7 @@
+	--- 9.6.1-P1 released ---
+
+2640.	[security]	A specially crafted update packet will cause named
+			to exit. [RT #20000]
 
 	--- 9.6.1 released ---
 

contrib/bind9/bin/named/update.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.151.12.5 2009/04/30 07:03:37 marka Exp $ */
+/* $Id: update.c,v 1.151.12.5.12.1 2009/07/28 14:18:08 marka Exp $ */
 
 #include <config.h>
 
@@ -979,7 +979,11 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 			if (type == dns_rdatatype_rrsig ||
 			    type == dns_rdatatype_sig)
 				covers = dns_rdata_covers(&t->rdata);
-			else
+			else if (type == dns_rdatatype_any) {
+				dns_db_detachnode(db, &node);
+				dns_diff_clear(&trash);
+				return (DNS_R_NXRRSET);
+			} else
 				covers = 0;
 
 			/*

contrib/bind9/version

@@ -1,4 +1,4 @@
-# $Id: version,v 1.43.12.5 2009/06/04 04:02:41 marka Exp $
+# $Id: version,v 1.43.12.5.8.1 2009/07/28 14:18:08 marka Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=6
 PATCHVER=1
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1