oss-sec mailing list archives
Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)
From: Ondřej Surý <ondrej () isc org>
Date: Thu, 29 Apr 2021 12:36:56 +0200
Hi Ariande, BIND 9.17.x was using the system SPNEGO since 9.17.2 (I think). Also for older versions, it should be enough to use --disable-isc-spnego if you can’t patch it (that’s what I am doing for Debian buster). It just won’t work with Heimdal krb5, but it compiles just fine with MIT krb5. Cheers, Ondrej -- Ondřej Surý (He/Him) ondrej () isc org
On 29. 4. 2021, at 12:34, Ariadne Conill <ariadne () dereferenced org> wrote: Hello, On Wed, 28 Apr 2021, Michael McNally wrote:On April 28, 2021, we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software: CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly https://kb.isc.org/docs/cve-2021-25214 CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself https://kb.isc.org/docs/cve-2021-25215 CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack https://kb.isc.org/docs/cve-2021-25216 New versions of BIND are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of the release directories for our two stable release branches (9.11 and 9.16) https://downloads.isc.org/isc/bind9/9.11.31/patches https://downloads.isc.org/isc/bind9/9.16.15/patchesThese directories only have patches for CVE-2021-25214 and CVE-2021-25215. A patch for CVE-2021-25216 appears to be missing. In some supported branches of Alpine, we erroneously followed a development branch of BIND, so I am trying to determine if there is anything I need to backport to cover CVE-2021-25216. Thanks in advance for any advice you can provide on this. Ariadne
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)
- Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)
- Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ondřej Surý (Apr 29)
- Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)