ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924)

[Michał Kępień <michal () isc org>]

On 25 January 2023 we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software:

- CVE-2022-3094:        An UPDATE message flood may cause named to exhaust all available memory 
https://kb.isc.org/docs/cve-2022-3094
- CVE-2022-3736:        named configured to answer from stale cache may terminate unexpectedly while processing RRSIG 
queries https://kb.isc.org/docs/cve-2022-3736
- CVE-2022-3924:        named configured to answer from stale cache may terminate unexpectedly at recursive-clients 
soft quota https://kb.isc.org/docs/cve-2022-3924

New versions of BIND 9 are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific 
patches in the "patches" subdirectory of each published release directory:

- https://downloads.isc.org/isc/bind9/9.16.37/patches/
- https://downloads.isc.org/isc/bind9/9.18.11/patches/
- https://downloads.isc.org/isc/bind9/9.19.9/patches/

With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages 
that have been prepared may be released.

-- 
Best regards,
Michał Kępień