oss-sec mailing list archives

Five vulnerabilities disclosed in BIND (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624)

From: Michael McNally <mcnally () isc org>
Date: Thu, 20 Aug 2020 11:10:07 -0800

On August 20, 2020, we (Internet Systems Consortium) have disclosed five
vulnerabilities in our BIND 9 software:

   CVE-2020-8620: A specially crafted large TCP payload can trigger
   an assertion failure in tcpdns.c
   https://kb.isc.org/docs/cve-2020-8620

   CVE-2020-8621: Attempting QNAME minimization after forwarding can
   lead to an assertion failure in resolver.c
   https://kb.isc.org/docs/cve-2020-8621

   CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
   https://kb.isc.org/docs/cve-2020-8622

   CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely
   triggerable assertion failure in pk11.c
   https://kb.isc.org/docs/cve-2020-8623

   CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly
   https://kb.isc.org/docs/cve-2020-8624

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can
find individual vulnerability-specific patches in the "patches" subdirectory
of the release directory for our two stable release branches (9.11 and 9.16)

  https://downloads.isc.org/isc/bind9/9.11.22/patches
  https://downloads.isc.org/isc/bind9/9.16.6/patches

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.

Current thread:

Five vulnerabilities disclosed in BIND (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624) Michael McNally (Aug 20)