[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Five vulnerabilities disclosed in BIND (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622,
From: Michael McNally <mcnally () isc ! org>
Date: 2020-08-20 19:10:07
Message-ID: 3801c44c-e32a-1607-4764-1be5effec959 () isc ! org
[Download RAW message or body]
On August 20, 2020, we (Internet Systems Consortium) have disclosed five
vulnerabilities in our BIND 9 software:
CVE-2020-8620: A specially crafted large TCP payload can trigger
an assertion failure in tcpdns.c
https://kb.isc.org/docs/cve-2020-8620
CVE-2020-8621: Attempting QNAME minimization after forwarding can
lead to an assertion failure in resolver.c
https://kb.isc.org/docs/cve-2020-8621
CVE-2020-8622: A truncated TSIG response can lead to an assertion fail=
ure
https://kb.isc.org/docs/cve-2020-8622
CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely
triggerable assertion failure in pk11.c
https://kb.isc.org/docs/cve-2020-8623
CVE-2020-8624: update-policy rules of type "subdomain" are enforced in=
correctly
https://kb.isc.org/docs/cve-2020-8624
New versions of BIND are available from https://www.isc.org/downloads
Operators and package maintainers who prefer to apply patches selectively=
can
find individual vulnerability-specific patches in the "patches" subdirect=
ory
of the release directory for our two stable release branches (9.11 and 9.=
16)
https://downloads.isc.org/isc/bind9/9.11.22/patches
https://downloads.isc.org/isc/bind9/9.16.6/patches
With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic