Source: bind9 Version: 1:9.16.11-2 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:9.11.5.P4+dfsg-5.1+deb10u2 Control: found -1 1:9.11.5.P4+dfsg-5.1 Control: fixed -1 1:9.11.5.P4+dfsg-5.1+deb10u3
Hi, The following vulnerability was published for bind9. CVE-2020-8625[0]: | BIND servers are vulnerable if they are running an affected version | and are configured to use GSS-TSIG features. In a configuration which | uses BIND's default settings the vulnerable code path is not exposed, | but a server can be rendered vulnerable by explicitly setting valid | values for the tkey-gssapi-keytab or tkey-gssapi- | credentialconfiguration options. Although the default configuration is | not vulnerable, GSS-TSIG is frequently used in networks where BIND is | integrated with Samba, as well as in mixed-server environments that | combine BIND servers with Active Directory domain controllers. The | most likely outcome of a successful exploitation of the vulnerability | is a crash of the named process. However, remote code execution, while | unproven, is theoretically possible. Affects: BIND 9.5.0 -> | 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> | 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview | Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 | development branch If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625 [1] https://kb.isc.org/v1/docs/cve-2020-8625 [2] https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5 Regards, Salvatore
