'[oss-security] Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 '

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 
From:       "Everett B. Fulton" <ebf () isc ! org>
Date:       2022-03-16 19:51:01
Message-ID: c4f4fbb4-04fb-a4e5-0aba-d18533ddaaa9 () isc ! org
[Download RAW message or body]

On March 16 2022, we (Internet Systems Consortium) disclosed four
vulnerabilities affecting our BIND 9 software:

   CVE-2021-25220: DNS forwarders - cache poisoning vulnerability
   https://kb.isc.org/docs/CVE-2021-25220

   CVE-2022-0396: DoS from specifically crafted TCP packets
   https://kb.isc.org/docs/cve-2022-0396

   CVE-2022-0635: DNAME insist with synth-from-dnssec enabled
   https://kb.isc.org/docs/cve-2022-0635

   CVE-2022-0667: Assertion failure on delayed DS lookup
   https://kb.isc.org/docs/cve-2022-0667

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches
selectively can find individual vulnerability-specific patches in the
"patches" subdirectory of the release directories for our three stable
release branches (9.11. 9.16 and 9.18)

   https://downloads.isc.org/isc/bind9/9.11.37/patches/
   https://downloads.isc.org/isc/bind9/9.16.27/patches/
   https://downloads.isc.org/isc/bind9/9.18.1/patches/

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
-- 
Everett B. Fulton
ISC Support
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic