Source: bind9 Version: 1:9.16.2-3 Severity: grave Tags: security upstream Justification: user security hole Control: fixed -1 1:9.11.5.P4+dfsg-5.1+deb10u1 Control: fixed -1 1:9.10.3.dfsg.P4-12.3+deb9u6 Control: found -1 1:9.11.5.P4+dfsg-5.1 Control: found -1 1:9.10.3.dfsg.P4-12.3+deb9u5 Control: found -1 1:9.10.3.dfsg.P4-12.3
Hi, The following vulnerabilities were published for bind9. Filling mainly for tracking and making sure there is not stable -> unstable regression. CVE-2020-8616[0]: | A malicious actor who intentionally exploits this lack of effective | limitation on the number of fetches performed when processing | referrals can, through the use of specially crafted referrals, cause a | recursing server to issue a very large number of fetches in an attempt | to process the referral. This has at least two potential effects: The | performance of the recursing server can potentially be degraded by the | additional work required to perform these fetches, and The attacker | can exploit this behavior to use the recursing server as a reflector | in a reflection attack with a high amplification factor. CVE-2020-8617[1]: | Using a specially-crafted message, an attacker may potentially cause a | BIND server to reach an inconsistent state if the attacker knows (or | successfully guesses) the name of a TSIG key used by the server. Since | BIND, by default, configures a local session key even on servers whose | configuration does not otherwise make use of it, almost all current | BIND servers are vulnerable. In releases of BIND dating from March | 2018 and after, an assertion check in tsig.c detects this inconsistent | state and deliberately exits. Prior to the introduction of the check | the server would continue operating in an inconsistent state, with | potentially harmful results. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8616 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616 [1] https://security-tracker.debian.org/tracker/CVE-2020-8617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617 Regards, Salvatore