oss-sec mailing list archives

ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)

From: Michael McNally <mcnally () isc org>
Date: Wed, 28 Apr 2021 17:09:42 -0800

On April 28, 2021, we (Internet Systems Consortium) disclosed three
vulnerabilities affecting our BIND 9 software:

   CVE-2021-25214: A broken inbound incremental zone update (IXFR)
   can cause named to terminate unexpectedly
   https://kb.isc.org/docs/cve-2021-25214

   CVE-2021-25215: An assertion check can fail while answering queries for
   DNAME records that require the DNAME to be processed to resolve itself
   https://kb.isc.org/docs/cve-2021-25215

   CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy
   negotiation can be targeted by a buffer overflow attack
   https://kb.isc.org/docs/cve-2021-25216

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can
find individual vulnerability-specific patches in the "patches" subdirectory
of the release directories for our two stable release branches (9.11 and 9.16)

  https://downloads.isc.org/isc/bind9/9.11.31/patches
  https://downloads.isc.org/isc/bind9/9.16.15/patches

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.

Current thread:

ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)
- Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)
  - Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ondřej Surý (Apr 29)
    - Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)