Two BIND 9 Security Vulnerabilities Announced Today

ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities

We have released new versions of BIND: 9.16.3, 9.14.12 and 9.11.19, which address two vulnerabilities just disclosed. New versions are available for download from https://www.isc.org/download/ and from https://ftp.isc.org/isc/bind9/cur/.

In addition, updated versions of the BIND 9 packages ISC produces are posted.

• Packages for CentOS and Fedora are on COPR.
• Packages for Ubuntu are on Launchpad.

The two vulnerabilities are CVE 2020-8616 and CVE 2020-8617. Both are High Severity vulnerabilities that we recommend operators patch as soon as possible. Most currently supported versions of BIND 9 from ISC are vulnerable to these two issues.

CVE 2020-8616 affects recursive resolvers only, and is a vulnerability to an amplification attack. CVE 2020-8617 affects both recursive resolvers and authoritative servers and is an assertion failure.

For more details, please consult the official vulnerability announcements linked above and below.

Key references

1. BIND does not sufficiently limit the number of fetches performed when processing referrals - https://kb.isc.org/v1/docs/cve-2020-8616
2. A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c - https://kb.isc.org/v1/docs/cve-2020-8617
3. FAQ and Supplemental Information for CVE-2020-8617 - https://kb.isc.org/v1/docs/cve-2020-8617-faq-and-supplemental-information

We announce significant BIND 9 vulnerabilities on the bind-users list, in accordance with our published Software Defect and Security Vulnerability Disclosure Policy. To be notified of vulnerabilities when they are published in the future, please consider subscribing.