bind9: CVE-2020-8625

Debian Bug report logs - #983004
bind9: CVE-2020-8625

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bind9: CVE-2020-8625

Date: Thu, 18 Feb 2021 06:28:17 +0100

Source: bind9
Version: 1:9.16.11-2
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:9.11.5.P4+dfsg-5.1+deb10u2
Control: found -1 1:9.11.5.P4+dfsg-5.1
Control: fixed -1 1:9.11.5.P4+dfsg-5.1+deb10u3

Hi,

The following vulnerability was published for bind9.

CVE-2020-8625[0]:
| BIND servers are vulnerable if they are running an affected version
| and are configured to use GSS-TSIG features. In a configuration which
| uses BIND's default settings the vulnerable code path is not exposed,
| but a server can be rendered vulnerable by explicitly setting valid
| values for the tkey-gssapi-keytab or tkey-gssapi-
| credentialconfiguration options. Although the default configuration is
| not vulnerable, GSS-TSIG is frequently used in networks where BIND is
| integrated with Samba, as well as in mixed-server environments that
| combine BIND servers with Active Directory domain controllers. The
| most likely outcome of a successful exploitation of the vulnerability
| is a crash of the named process. However, remote code execution, while
| unproven, is theoretically possible. Affects: BIND 9.5.0 -&gt;
| 9.11.27, 9.12.0 -&gt; 9.16.11, and versions BIND 9.11.3-S1 -&gt;
| 9.11.27-S1 and 9.16.8-S1 -&gt; 9.16.11-S1 of BIND Supported Preview
| Edition. Also release versions 9.17.0 -&gt; 9.17.1 of the BIND 9.17
| development branch


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-8625
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625
[1] https://kb.isc.org/v1/docs/cve-2020-8625
[2] https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5

Regards,
Salvatore

Message #16 received at 983004-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 983004-close@bugs.debian.org

Subject: Bug#983004: fixed in bind9 1:9.16.12-1

Date: Thu, 18 Feb 2021 07:48:35 +0000

Source: bind9
Source-Version: 1:9.16.12-1
Done: Ondřej Surý <ondrej@debian.org>

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 983004@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Feb 2021 08:13:58 +0100
Source: bind9
Architecture: source
Version: 1:9.16.12-1
Distribution: unstable
Urgency: high
Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 983004
Changes:
 bind9 (1:9.16.12-1) unstable; urgency=high
 .
   * New upstream version 9.16.12
    + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
      (Closes: #983004)
   * Adjust the bind9-libs and bind9-dev packages for new upstream library
     names
Checksums-Sha1:
 ac3527eb770a08a7f974ee095362f4e8e5beecaf 2992 bind9_9.16.12-1.dsc
 4e75a4c9ffb905d7eaa389464f0f3418c94cb2e7 5017756 bind9_9.16.12.orig.tar.xz
 e7261896ff97242c06698da6bf9abb19e61c9dc6 77340 bind9_9.16.12-1.debian.tar.xz
 9ad3cf9d40daebd3aa7313cde3a9e9c0ad6a7107 15113 bind9_9.16.12-1_amd64.buildinfo
Checksums-Sha256:
 40bc601f6ca701f9ad293f0c9f8db7952dedd773c03c5bbcf629348324d165e6 2992 bind9_9.16.12-1.dsc
 9914af9311fd349cab441097898d94fb28d0bfd9bf6ed04fe1f97f042644da7f 5017756 bind9_9.16.12.orig.tar.xz
 e3a255242047d649bce8dfcf956ce79dd7d34ddd1ae429e942045135f3258160 77340 bind9_9.16.12-1.debian.tar.xz
 420043b76dd1d42928e4bdb92bec4653b944dbbba24e7a0ddd4f5ac248396a1c 15113 bind9_9.16.12-1_amd64.buildinfo
Files:
 631e74530f08e56dcfb4c3d9c69c5958 2992 net optional bind9_9.16.12-1.dsc
 61c545db393628152e5b2c957e8bf712 5017756 net optional bind9_9.16.12.orig.tar.xz
 f265e99a81e5a8ef0920e0853bcf4f95 77340 net optional bind9_9.16.12-1.debian.tar.xz
 8c12cf3b34efd2c394c17cb9d61cc0e7 15113 net optional bind9_9.16.12-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmAuFeRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcKGNA/+MXNY5XyVBhdqDGdzJbkflTPVcKpgyWPjDAg2OhYAV5stmgwJaJVUgMdG
BG2fUsHpVEZE56UmFwSdJHnd4pG6ycaU0K7YBY0pONkEw88HkGwBZHQ0ijdf4ueF
CGBZ7VuFRA0++Gmk/ch4KKaNouPmJ9WaqqlOXCN8mBOT5lZeZ6JcxI5mHxLYtll9
eS9+wJ6oydx/lr1NIXEqA8vNfu5fzLLGiACC5WIYfp5XjbgjPeOYw3gnDOzKxkmL
bPAJFnFGzwDDeDMqpGZfZpN+JutWGX54MbFpZBEgEy0hUBVn7k8rBUZkni/JRlnM
UcA3l3GIAkOIy/MqcJA4ZdASDOADH7t3fBvRyTLl9Di/av6Qc15KDjlW7Aht2KQv
ONtMVGAi7PCl80ja5ABqUAtD1OBu8Wz/UKzXRqcwDrTwn7R9QIE4dStEri/krasT
NrTxMloJuBKQsNuGADqqbmTPFbHj1mcEZXvMhz3a2ZYb1ysJA03pWs/0k7nBe7WQ
eNPzhA2VJLQKRXGM9b/X05EnVT8wjaLSc6+IFPCJQGwRACK9TpWCKeh8om/Ng3py
7FJZFerkQuIl2X4+rJtK982ftb+9IMX4t6V6yBTIlChecqh0mTPmTepW0ikEN/Xp
rfhgvsGFKO4nO9ULdiQtJBc/olfgzm5jvN9EYF+ltTEmF3kquBw=
=Uu1t
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.