Date: Wed, 17 Feb 2021 11:25:57 -0900 From: Michael McNally <mcnally@....org> To: oss-security@...ts.openwall.com Cc: "security-officer@....org" <security-officer@....org> Subject: One BIND vulnerability (CVE-2020-8625) has been publicly disclosed On February 17, 2021, Internet Systems Consortium has disclosed a vulnerability in our BIND 9 software about which we previously provided advance notice. CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack https://kb.isc.org/docs/cve-2020-8625 With the public announcement of this vulnerability, the embargo period is ended and any updated software packages that have been prepared may be released. ISC's own releases containing fixes are: - BIND 9.11.28 - BIND 9.16.12 - BIND 9.17.10 each of which can be downloaded via the ISC downloads page, https://www.isc.org/downloads For package maintainers who want *only* the fixes for the CVE vulnerabilities, patch diffs are available for each branch in the "patches" subdirectory of the branch's February 2021 maintenance release, e.g.: 9.11 branch: https://downloads.isc.org/isc/bind9/9.11.28/patches 9.16 branch: https://downloads.isc.org/isc/bind9/9.16.12/patches 9.17 branch: no patch necessary for versions >= 9.17.2 Sincerely, Michael McNally ISC Security Officer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.