{
  "affected": [
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:11",
        "name": "bind9"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:9.11.3+dfsg-2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:12",
        "name": "bind9"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:9.11.3+dfsg-2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:13",
        "name": "bind9"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:9.11.3+dfsg-2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:14",
        "name": "bind9"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:9.11.3+dfsg-2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the \"allow-recursion\" setting, it SHOULD default to one of the following: none, if \"recursion no;\" is set in named.conf; a value inherited from the \"allow-query-cache\" or \"allow-query\" settings IF \"recursion yes;\" (the default for that setting) AND match lists are explicitly set for \"allow-query-cache\" or \"allow-query\" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of \"allow-recursion {localhost; localnets;};\" if \"recursion yes;\" is in effect and no values are explicitly set for \"allow-query-cache\" or \"allow-query\". However, because of the regression introduced by change #4777, it is possible when \"recursion yes;\" is in effect and no match list values are provided for \"allow-query-cache\" or \"allow-query\" for the setting of \"allow-recursion\" to inherit a setting of all hosts from the \"allow-query\" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0-\u003e9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.",
  "id": "DEBIAN-CVE-2018-5738",
  "modified": "2026-04-28T19:51:16.692850865Z",
  "published": "2019-01-16T20:29:00.907Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://security-tracker.debian.org/tracker/CVE-2018-5738"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "upstream": [
    "CVE-2018-5738"
  ]
}