[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Five vulnerabilities disclosed in BIND (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, 
From:       Michael McNally <mcnally () isc ! org>
Date:       2020-08-20 19:10:07
Message-ID: 3801c44c-e32a-1607-4764-1be5effec959 () isc ! org
[Download RAW message or body]

On August 20, 2020, we (Internet Systems Consortium) have disclosed five
vulnerabilities in our BIND 9 software:

   CVE-2020-8620: A specially crafted large TCP payload can trigger
   an assertion failure in tcpdns.c
   https://kb.isc.org/docs/cve-2020-8620

   CVE-2020-8621: Attempting QNAME minimization after forwarding can
   lead to an assertion failure in resolver.c
   https://kb.isc.org/docs/cve-2020-8621

   CVE-2020-8622: A truncated TSIG response can lead to an assertion fail=
ure
   https://kb.isc.org/docs/cve-2020-8622

   CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely
   triggerable assertion failure in pk11.c
   https://kb.isc.org/docs/cve-2020-8623

   CVE-2020-8624: update-policy rules of type "subdomain" are enforced in=
correctly
   https://kb.isc.org/docs/cve-2020-8624

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively=
 can
find individual vulnerability-specific patches in the "patches" subdirect=
ory
of the release directory for our two stable release branches (9.11 and 9.=
16)

  https://downloads.isc.org/isc/bind9/9.11.22/patches
  https://downloads.isc.org/isc/bind9/9.16.6/patches

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
[prev in list] [next in list] [prev in thread] [next in thread]