Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Mar 2022 14:51:01 -0500
From: "Everett B. Fulton" <>
Subject: Four vulnerabilities disclosed in BIND (CVE-2021-25220,
 CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667)

On March 16 2022, we (Internet Systems Consortium) disclosed four
vulnerabilities affecting our BIND 9 software:

   CVE-2021-25220: DNS forwarders - cache poisoning vulnerability

   CVE-2022-0396: DoS from specifically crafted TCP packets

   CVE-2022-0635: DNAME insist with synth-from-dnssec enabled

   CVE-2022-0667: Assertion failure on delayed DS lookup

New versions of BIND are available from

Operators and package maintainers who prefer to apply patches
selectively can find individual vulnerability-specific patches in the
"patches" subdirectory of the release directories for our three stable
release branches (9.11. 9.16 and 9.18)

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
Everett B. Fulton
ISC Support

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.