<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Ariadne Conill <ariadne () dereferenced org>
Date: Thu, 29 Apr 2021 04:34:11 -0600 (MDT)
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
On Wed, 28 Apr 2021, Michael McNally wrote:
On April 28, 2021, we (Internet Systems Consortium) disclosed three
vulnerabilities affecting our BIND 9 software:
CVE-2021-25214: A broken inbound incremental zone update (IXFR)
can cause named to terminate unexpectedly
https://kb.isc.org/docs/cve-2021-25214
CVE-2021-25215: An assertion check can fail while answering queries for
DNAME records that require the DNAME to be processed to resolve itself
https://kb.isc.org/docs/cve-2021-25215
CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack
https://kb.isc.org/docs/cve-2021-25216
New versions of BIND are available from https://www.isc.org/downloads
Operators and package maintainers who prefer to apply patches selectively can
find individual vulnerability-specific patches in the "patches" subdirectory
of the release directories for our two stable release branches (9.11 and
9.16)
https://downloads.isc.org/isc/bind9/9.11.31/patches
https://downloads.isc.org/isc/bind9/9.16.15/patches
These directories only have patches for CVE-2021-25214 and CVE-2021-25215.
A patch for CVE-2021-25216 appears to be missing. In some supported
branches of Alpine, we erroneously followed a development branch of BIND,
so I am trying to determine if there is anything I need to backport to
cover CVE-2021-25216.
Thanks in advance for any advice you can provide on this.
Ariadne
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)
Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)
Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ondřej Surý (Apr 29)
Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->