oss-sec mailing list archives
Five vulnerabilities disclosed in BIND (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624)
From: Michael McNally <mcnally () isc org>
Date: Thu, 20 Aug 2020 11:10:07 -0800
On August 20, 2020, we (Internet Systems Consortium) have disclosed five vulnerabilities in our BIND 9 software: CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c https://kb.isc.org/docs/cve-2020-8620 CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c https://kb.isc.org/docs/cve-2020-8621 CVE-2020-8622: A truncated TSIG response can lead to an assertion failure https://kb.isc.org/docs/cve-2020-8622 CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c https://kb.isc.org/docs/cve-2020-8623 CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly https://kb.isc.org/docs/cve-2020-8624 New versions of BIND are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of the release directory for our two stable release branches (9.11 and 9.16) https://downloads.isc.org/isc/bind9/9.11.22/patches https://downloads.isc.org/isc/bind9/9.16.6/patches With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released.
Current thread:
- Five vulnerabilities disclosed in BIND (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624) Michael McNally (Aug 20)