[SECURITY-L] [oss-security] Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667)
CSIRT Unicamp
security em unicamp.br
Quarta Março 16 17:05:09 -03 2022
On March 16 2022, we (Internet Systems Consortium) disclosed four
vulnerabilities affecting our BIND 9 software:
CVE-2021-25220: DNS forwarders - cache poisoning vulnerability
https://kb.isc.org/docs/CVE-2021-25220
CVE-2022-0396: DoS from specifically crafted TCP packets
https://kb.isc.org/docs/cve-2022-0396
CVE-2022-0635: DNAME insist with synth-from-dnssec enabled
https://kb.isc.org/docs/cve-2022-0635
CVE-2022-0667: Assertion failure on delayed DS lookup
https://kb.isc.org/docs/cve-2022-0667
New versions of BIND are available from https://www.isc.org/downloads
Operators and package maintainers who prefer to apply patches
selectively can find individual vulnerability-specific patches in the
"patches" subdirectory of the release directories for our three stable
release branches (9.11. 9.16 and 9.18)
https://downloads.isc.org/isc/bind9/9.11.37/patches/
https://downloads.isc.org/isc/bind9/9.16.27/patches/
https://downloads.isc.org/isc/bind9/9.18.1/patches/
With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
--
Everett B. Fulton
ISC Support
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20220316/ebfe1f10/attachment.html>
Mais detalhes sobre a lista de discussão SECURITY-L