oss-sec mailing list archives
Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)
From: Ariadne Conill <ariadne () dereferenced org>
Date: Thu, 29 Apr 2021 04:34:11 -0600 (MDT)
Hello, On Wed, 28 Apr 2021, Michael McNally wrote:
On April 28, 2021, we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software: CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly https://kb.isc.org/docs/cve-2021-25214 CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself https://kb.isc.org/docs/cve-2021-25215 CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack https://kb.isc.org/docs/cve-2021-25216 New versions of BIND are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectoryof the release directories for our two stable release branches (9.11 and 9.16)https://downloads.isc.org/isc/bind9/9.11.31/patches https://downloads.isc.org/isc/bind9/9.16.15/patches
These directories only have patches for CVE-2021-25214 and CVE-2021-25215. A patch for CVE-2021-25216 appears to be missing. In some supported branches of Alpine, we erroneously followed a development branch of BIND, so I am trying to determine if there is anything I need to backport to cover CVE-2021-25216.
Thanks in advance for any advice you can provide on this. Ariadne
Current thread:
- ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)
- Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)