oss-sec mailing list archives
ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)
From: Michał Kępień <michal () isc org>
Date: Wed, 21 Sep 2022 11:46:28 +0200
On 21 September 2022 we (Internet Systems Consortium) disclosed six vulnerabilities affecting our BIND 9 software: - CVE-2022-2795: Processing large delegations may severely degrade resolver performance https://kb.isc.org/docs/cve-2022-2795 - CVE-2022-2881: Buffer overread in statistics channel code https://kb.isc.org/docs/cve-2022-2881 - CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) https://kb.isc.org/docs/cve-2022-2906 - CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly https://kb.isc.org/docs/cve-2022-3080 - CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code https://kb.isc.org/docs/cve-2022-38177 - CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code https://kb.isc.org/docs/cve-2022-38178 New versions of BIND are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of the release directories for our stable release branches (9.16 and 9.18): - https://downloads.isc.org/isc/bind9/9.16.33/patches/ - https://downloads.isc.org/isc/bind9/9.18.7/patches/ With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released. -- Best regards, Michał Kępień
Current thread:
- ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178) Michał Kępień (Sep 21)