Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)

[Ariadne Conill <ariadne () dereferenced org>]

Hello,

On Wed, 28 Apr 2021, Michael McNally wrote:

> On April 28, 2021, we (Internet Systems Consortium) disclosed three
> vulnerabilities affecting our BIND 9 software:
>
>   CVE-2021-25214: A broken inbound incremental zone update (IXFR)
>   can cause named to terminate unexpectedly
>   https://kb.isc.org/docs/cve-2021-25214
>
>   CVE-2021-25215: An assertion check can fail while answering queries for
>   DNAME records that require the DNAME to be processed to resolve itself
>   https://kb.isc.org/docs/cve-2021-25215
>
>   CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy
>   negotiation can be targeted by a buffer overflow attack
>   https://kb.isc.org/docs/cve-2021-25216
>
> New versions of BIND are available from https://www.isc.org/downloads
>
> Operators and package maintainers who prefer to apply patches selectively can
> find individual vulnerability-specific patches in the "patches" subdirectory
> of the release directories for our two stable release branches (9.11 and 
> 9.16)
>
>  https://downloads.isc.org/isc/bind9/9.11.31/patches
>  https://downloads.isc.org/isc/bind9/9.16.15/patches

These directories only have patches for CVE-2021-25214 and CVE-2021-25215. 
A patch for CVE-2021-25216 appears to be missing.  In some supported 
branches of Alpine, we erroneously followed a development branch of BIND, 
so I am trying to determine if there is anything I need to backport to 
cover CVE-2021-25216.

Thanks in advance for any advice you can provide on this.

Ariadne