oss-sec mailing list archives

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)

From: Ondřej Surý <ondrej () isc org>
Date: Thu, 29 Apr 2021 12:36:56 +0200

Hi Ariande,

BIND 9.17.x was using the system SPNEGO since 9.17.2 (I think).

Also for older versions, it should be enough to use --disable-isc-spnego if you can’t patch it (that’s what I am doing 
for Debian buster).  It just won’t work with Heimdal krb5, but it compiles just fine with MIT krb5.

Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ondrej () isc org

On 29. 4. 2021, at 12:34, Ariadne Conill <ariadne () dereferenced org> wrote:

Hello,

On Wed, 28 Apr 2021, Michael McNally wrote:

On April 28, 2021, we (Internet Systems Consortium) disclosed three
vulnerabilities affecting our BIND 9 software:

 CVE-2021-25214: A broken inbound incremental zone update (IXFR)
 can cause named to terminate unexpectedly
 https://kb.isc.org/docs/cve-2021-25214

 CVE-2021-25215: An assertion check can fail while answering queries for
 DNAME records that require the DNAME to be processed to resolve itself
 https://kb.isc.org/docs/cve-2021-25215

 CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy
 negotiation can be targeted by a buffer overflow attack
 https://kb.isc.org/docs/cve-2021-25216

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can
find individual vulnerability-specific patches in the "patches" subdirectory
of the release directories for our two stable release branches (9.11 and 9.16)

https://downloads.isc.org/isc/bind9/9.11.31/patches
https://downloads.isc.org/isc/bind9/9.16.15/patches


These directories only have patches for CVE-2021-25214 and CVE-2021-25215. A patch for CVE-2021-25216 appears to be 
missing.  In some supported branches of Alpine, we erroneously followed a development branch of BIND, so I am trying 
to determine if there is anything I need to backport to cover CVE-2021-25216.

Thanks in advance for any advice you can provide on this.

Ariadne

Attachment: signature.asc
Description: Message signed with OpenPGP

Current thread:

ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)
- Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)
  - Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ondřej Surý (Apr 29)
    - Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)