oss-sec mailing list archives
Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667)
From: "Everett B. Fulton" <ebf () isc org>
Date: Wed, 16 Mar 2022 14:51:01 -0500
On March 16 2022, we (Internet Systems Consortium) disclosed four vulnerabilities affecting our BIND 9 software: CVE-2021-25220: DNS forwarders - cache poisoning vulnerability https://kb.isc.org/docs/CVE-2021-25220 CVE-2022-0396: DoS from specifically crafted TCP packets https://kb.isc.org/docs/cve-2022-0396 CVE-2022-0635: DNAME insist with synth-from-dnssec enabled https://kb.isc.org/docs/cve-2022-0635 CVE-2022-0667: Assertion failure on delayed DS lookup https://kb.isc.org/docs/cve-2022-0667 New versions of BIND are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of the release directories for our three stable release branches (9.11. 9.16 and 9.18) https://downloads.isc.org/isc/bind9/9.11.37/patches/ https://downloads.isc.org/isc/bind9/9.16.27/patches/ https://downloads.isc.org/isc/bind9/9.18.1/patches/ With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released. -- Everett B. Fulton ISC Support
Current thread:
- Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667) Everett B. Fulton (Mar 16)