oss-sec mailing list archives

Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667)

From: "Everett B. Fulton" <ebf () isc org>
Date: Wed, 16 Mar 2022 14:51:01 -0500

On March 16 2022, we (Internet Systems Consortium) disclosed four
vulnerabilities affecting our BIND 9 software:

  CVE-2021-25220: DNS forwarders - cache poisoning vulnerability
  https://kb.isc.org/docs/CVE-2021-25220

  CVE-2022-0396: DoS from specifically crafted TCP packets
  https://kb.isc.org/docs/cve-2022-0396

  CVE-2022-0635: DNAME insist with synth-from-dnssec enabled
  https://kb.isc.org/docs/cve-2022-0635

  CVE-2022-0667: Assertion failure on delayed DS lookup
  https://kb.isc.org/docs/cve-2022-0667

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches
selectively can find individual vulnerability-specific patches in the
"patches" subdirectory of the release directories for our three stable
release branches (9.11. 9.16 and 9.18)

  https://downloads.isc.org/isc/bind9/9.11.37/patches/
  https://downloads.isc.org/isc/bind9/9.16.27/patches/
  https://downloads.isc.org/isc/bind9/9.18.1/patches/

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
--
Everett B. Fulton
ISC Support

Current thread:

Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667) Everett B. Fulton (Mar 16)