Date: Wed, 16 Mar 2022 14:51:01 -0500 From: "Everett B. Fulton" <ebf@....org> To: oss-security@...ts.openwall.com Subject: Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667) On March 16 2022, we (Internet Systems Consortium) disclosed four vulnerabilities affecting our BIND 9 software: CVE-2021-25220: DNS forwarders - cache poisoning vulnerability https://kb.isc.org/docs/CVE-2021-25220 CVE-2022-0396: DoS from specifically crafted TCP packets https://kb.isc.org/docs/cve-2022-0396 CVE-2022-0635: DNAME insist with synth-from-dnssec enabled https://kb.isc.org/docs/cve-2022-0635 CVE-2022-0667: Assertion failure on delayed DS lookup https://kb.isc.org/docs/cve-2022-0667 New versions of BIND are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of the release directories for our three stable release branches (9.11. 9.16 and 9.18) https://downloads.isc.org/isc/bind9/9.11.37/patches/ https://downloads.isc.org/isc/bind9/9.16.27/patches/ https://downloads.isc.org/isc/bind9/9.18.1/patches/ With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released. -- Everett B. Fulton ISC Support
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.