ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)

[Michał Kępień <michal () isc org>]

On 21 September 2022 we (Internet Systems Consortium) disclosed six vulnerabilities affecting our BIND 9 software:

- CVE-2022-2795:        Processing large delegations may severely degrade resolver performance 
https://kb.isc.org/docs/cve-2022-2795
- CVE-2022-2881:        Buffer overread in statistics channel code https://kb.isc.org/docs/cve-2022-2881
- CVE-2022-2906:        Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) 
https://kb.isc.org/docs/cve-2022-2906
- CVE-2022-3080:        BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout 
may terminate unexpectedly https://kb.isc.org/docs/cve-2022-3080
- CVE-2022-38177:       Memory leak in ECDSA DNSSEC verification code https://kb.isc.org/docs/cve-2022-38177
- CVE-2022-38178:       Memory leaks in EdDSA DNSSEC verification code https://kb.isc.org/docs/cve-2022-38178

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific 
patches in the "patches" subdirectory of the release directories for our stable release branches (9.16 and 9.18):

- https://downloads.isc.org/isc/bind9/9.16.33/patches/
- https://downloads.isc.org/isc/bind9/9.18.7/patches/

With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages 
that have been prepared may be released.

-- 
Best regards,
Michał Kępień