ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities
We have released new versions of BIND: 9.16.3, 9.14.12 and 9.11.19, which address two vulnerabilities just disclosed. New versions are available for download from https://www.isc.org/download/ and from https://ftp.isc.org/isc/bind9/cur/.
In addition, updated versions of the BIND 9 packages ISC produces are posted.
- Packages for CentOS and Fedora are on COPR.
- Packages for Ubuntu are on Launchpad.
The two vulnerabilities are CVE 2020-8616 and CVE 2020-8617. Both are High Severity vulnerabilities that we recommend operators patch as soon as possible. Most currently supported versions of BIND 9 from ISC are vulnerable to these two issues.
CVE 2020-8616 affects recursive resolvers only, and is a vulnerability to an amplification attack. CVE 2020-8617 affects both recursive resolvers and authoritative servers and is an assertion failure.
For more details, please consult the official vulnerability announcements linked above and below.
- BIND does not sufficiently limit the number of fetches performed when processing referrals - https://kb.isc.org/v1/docs/cve-2020-8616
- A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c - https://kb.isc.org/v1/docs/cve-2020-8617
- FAQ and Supplemental Information for CVE-2020-8617 - https://kb.isc.org/v1/docs/cve-2020-8617-faq-and-supplemental-information
We announce significant BIND 9 vulnerabilities on the bind-users list, in accordance with our published Software Defect and Security Vulnerability Disclosure Policy. To be notified of vulnerabilities when they are published in the future, please consider subscribing.