oss-sec mailing list archives
ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)
From: Michael McNally <mcnally () isc org>
Date: Wed, 28 Apr 2021 17:09:42 -0800
On April 28, 2021, we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software: CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly https://kb.isc.org/docs/cve-2021-25214 CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself https://kb.isc.org/docs/cve-2021-25215 CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack https://kb.isc.org/docs/cve-2021-25216 New versions of BIND are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of the release directories for our two stable release branches (9.11 and 9.16) https://downloads.isc.org/isc/bind9/9.11.31/patches https://downloads.isc.org/isc/bind9/9.16.15/patches With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released.
Current thread:
- ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)