[oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705)

Matthijs Mekking Wed, 29 Jan 2025 08:58:50 -0800

On 29 January 2025 we (Internet Systems Consortium) disclosed two vulnerabilities affecting our BIND 9 software:

- CVE-2024-11187: Many records in the additional section cause CPU exhaustion https://kb.isc.org/docs/cve-2024-11187 - CVE-2024-12705: DNS-over-HTTPS implementation suffers from multiple issues under heavy query load https://kb.isc.org/docs/cve-2024-12705


New versions of BIND 9 are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of each published release directory:


- https://downloads.isc.org/isc/bind9/9.18.33/patches/
- https://downloads.isc.org/isc/bind9/9.20.5/patches/
- https://downloads.isc.org/isc/bind9/9.21.4/patches/

With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released.

OpenPGP_0xD507944581A036B9.asc
Description: OpenPGP public key

OpenPGP_signature.asc
Description: OpenPGP digital signature

[oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705)

Reply via email to