Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)

Related Vulnerabilities: CVE-2021-25214   CVE-2021-25215   CVE-2021-25216  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Ariadne Conill &lt;ariadne () dereferenced org&gt;

Date: Thu, 29 Apr 2021 04:34:11 -0600 (MDT)

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,

On Wed, 28 Apr 2021, Michael McNally wrote:

On April 28, 2021, we (Internet Systems Consortium) disclosed three
vulnerabilities affecting our BIND 9 software:

  CVE-2021-25214: A broken inbound incremental zone update (IXFR)
  can cause named to terminate unexpectedly
  https://kb.isc.org/docs/cve-2021-25214

  CVE-2021-25215: An assertion check can fail while answering queries for
  DNAME records that require the DNAME to be processed to resolve itself
  https://kb.isc.org/docs/cve-2021-25215

  CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy
  negotiation can be targeted by a buffer overflow attack
  https://kb.isc.org/docs/cve-2021-25216

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can
find individual vulnerability-specific patches in the "patches" subdirectory
of the release directories for our two stable release branches (9.11 and 
9.16)

 https://downloads.isc.org/isc/bind9/9.11.31/patches
 https://downloads.isc.org/isc/bind9/9.16.15/patches

These directories only have patches for CVE-2021-25214 and CVE-2021-25215. 
A patch for CVE-2021-25216 appears to be missing.  In some supported 
branches of Alpine, we erroneously followed a development branch of BIND, 
so I am trying to determine if there is anything I need to backport to 
cover CVE-2021-25216.

Thanks in advance for any advice you can provide on this.

Ariadne

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ondřej Surý (Apr 29)

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started