oss-sec mailing list archives

ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-2828, CVE-2023-2911)

From: Michał Kępień <michal () isc org>
Date: Wed, 21 Jun 2023 18:12:26 +0200

On 21 June 2023 we (Internet Systems Consortium) disclosed two vulnerabilities affecting our BIND 9 software:

- CVE-2023-2828:        named's configured cache size limit can be significantly exceeded 
https://kb.isc.org/docs/cve-2023-2828
- CVE-2023-2911:        Exceeding the recursive-clients quota may cause named to terminate unexpectedly when 
stale-answer-client-timeout is set to 0 https://kb.isc.org/docs/cve-2023-2911

New versions of BIND 9 are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific 
patches in the "patches" subdirectory of each published release directory:

- https://downloads.isc.org/isc/bind9/9.16.42/patches/
- https://downloads.isc.org/isc/bind9/9.18.16/patches/
- https://downloads.isc.org/isc/bind9/9.19.14/patches/

With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages 
that have been prepared may be released.

-- 
Best regards,
Michał Kępień

Current thread:

ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-2828, CVE-2023-2911) Michał Kępień (Jun 21)