Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

bind9: CVE-2020-8616 CVE-2020-8617

Related Vulnerabilities: CVE-2020-8616   CVE-2020-8617  

Source

Debian Bug report logs - #961939
bind9: CVE-2020-8616 CVE-2020-8617

version graph

Package: src:bind9; Maintainer for src:bind9 is Debian DNS Team <team+dns@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 31 May 2020 19:27:02 UTC

Severity: grave

Tags: security, upstream

Found in versions bind9/1:9.16.2-3, bind9/1:9.10.3.dfsg.P4-12.3, bind9/1:9.11.5.P4+dfsg-5.1, bind9/1:9.10.3.dfsg.P4-12.3+deb9u5

Fixed in versions bind9/1:9.10.3.dfsg.P4-12.3+deb9u6, bind9/1:9.11.5.P4+dfsg-5.1+deb10u1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>:
Bug#961939; Package src:bind9. (Sun, 31 May 2020 19:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>. (Sun, 31 May 2020 19:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bind9: CVE-2020-8616 CVE-2020-8617
Date: Sun, 31 May 2020 21:22:07 +0200
Source: bind9
Version: 1:9.16.2-3
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 1:9.11.5.P4+dfsg-5.1+deb10u1 
Control: fixed -1 1:9.10.3.dfsg.P4-12.3+deb9u6
Control: found -1 1:9.11.5.P4+dfsg-5.1
Control: found -1 1:9.10.3.dfsg.P4-12.3+deb9u5
Control: found -1 1:9.10.3.dfsg.P4-12.3

Hi,

The following vulnerabilities were published for bind9. Filling mainly
for tracking and making sure there is not stable -> unstable
regression.

CVE-2020-8616[0]:
| A malicious actor who intentionally exploits this lack of effective
| limitation on the number of fetches performed when processing
| referrals can, through the use of specially crafted referrals, cause a
| recursing server to issue a very large number of fetches in an attempt
| to process the referral. This has at least two potential effects: The
| performance of the recursing server can potentially be degraded by the
| additional work required to perform these fetches, and The attacker
| can exploit this behavior to use the recursing server as a reflector
| in a reflection attack with a high amplification factor.


CVE-2020-8617[1]:
| Using a specially-crafted message, an attacker may potentially cause a
| BIND server to reach an inconsistent state if the attacker knows (or
| successfully guesses) the name of a TSIG key used by the server. Since
| BIND, by default, configures a local session key even on servers whose
| configuration does not otherwise make use of it, almost all current
| BIND servers are vulnerable. In releases of BIND dating from March
| 2018 and after, an assertion check in tsig.c detects this inconsistent
| state and deliberately exits. Prior to the introduction of the check
| the server would continue operating in an inconsistent state, with
| potentially harmful results.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-8616
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616
[1] https://security-tracker.debian.org/tracker/CVE-2020-8617
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617

Regards,
Salvatore

Marked as fixed in versions bind9/1:9.11.5.P4+dfsg-5.1+deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 31 May 2020 19:27:04 GMT) (full text, mbox, link).

Marked as fixed in versions bind9/1:9.10.3.dfsg.P4-12.3+deb9u6. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 31 May 2020 19:27:04 GMT) (full text, mbox, link).

Marked as found in versions bind9/1:9.11.5.P4+dfsg-5.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 31 May 2020 19:27:05 GMT) (full text, mbox, link).

Marked as found in versions bind9/1:9.10.3.dfsg.P4-12.3+deb9u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 31 May 2020 19:27:05 GMT) (full text, mbox, link).

Marked as found in versions bind9/1:9.10.3.dfsg.P4-12.3. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 31 May 2020 19:27:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jun 1 13:39:16 2020; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started