Opened 18 months ago

Closed 17 months ago

Last modified 14 months ago

#14951 closed enhancement (fixed)

bind9 bind 9.16.15

Reported by: Douglas R. Reno Owned by: thomas
Priority: high Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:


New point version

Change History (6)

comment:1 by thomas, 17 months ago

Notes for BIND 9.16.15 Security Fixes

A malformed incoming IXFR transfer could trigger an assertion failure in named, causing it to quit abnormally. (CVE-2021-25214)

ISC would like to thank Greg Kuechle of SaskTel for bringing this vulnerability to our attention. [GL #2467]

named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. (CVE-2021-25215)

ISC would like to thank Siva Kakarla for bringing this vulnerability to our attention. [GL #2540]

When a server’s configuration set the tkey-gssapi-keytab or tkey-gssapi-credential option, a specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO (a protocol enabling negotiation of the security mechanism used for GSSAPI authentication). This flaw could be exploited to crash named binaries compiled for 64-bit platforms, and could enable remote code execution when named was compiled for 32-bit platforms. (CVE-2021-25216)

This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro Zero Day Initiative. [GL #2604]

Feature Changes

The ISC implementation of SPNEGO was removed from BIND 9 source code. Instead, BIND 9 now always uses the SPNEGO implementation provided by the system GSSAPI library when it is built with GSSAPI support. All major contemporary Kerberos/GSSAPI libraries contain an implementation of the SPNEGO mechanism. [GL #2607]

The default value for the stale-answer-client-timeout option was changed from 1800 (ms) to off. The default value may be changed again in future releases as this feature matures. [GL #2608]

Bug Fixes

TCP idle and initial timeouts were being incorrectly applied: only the tcp-initial-timeout was applied on the whole connection, even if the connection were still active, which could prevent a large zone transfer from being sent back to the client. The default setting for tcp-initial-timeout was 30 seconds, which meant that any TCP connection taking more than 30 seconds was abruptly terminated. This has been fixed. [GL #2583]

When stale-answer-client-timeout was set to a positive value and recursion for a client query completed when named was about to look for a stale answer, an assertion could fail in query_respond(), resulting in a crash. This has been fixed. [GL #2594]

If zone journal files written by BIND 9.16.11 or earlier were present when BIND was upgraded to BIND 9.16.13 or BIND 9.16.14, the zone file for that zone could have been inadvertently rewritten with the current zone contents. This caused the original zone file structure (e.g. comments, $INCLUDE directives) to be lost, although the zone data itself was preserved. [GL #2623]

After upgrading to BIND 9.16.13, journal files for trust anchor databases (e.g. managed-keys.bind.jnl) could be left in a corrupt state. (Other zone journal files were not affected.) This has been fixed. If a corrupt journal file is detected, named can now recover from it. [GL #2600]

When sending queries over TCP, dig now properly handles +tries=1 +retry=0 by not retrying the connection when the remote server closes the connection prematurely. [GL #2490]

CDS/CDNSKEY DELETE records are now removed when a zone transitions from a secure to an insecure state. named-checkzone also no longer reports an error when such records are found in an unsigned zone. [GL #2517]

Zones using KASP could not be thawed after they were frozen using rndc freeze. This has been fixed. [GL #2523]

After rndc checkds -checkds or rndc dnssec -rollover is used, named now immediately attempts to reconfigure zone keys. This change prevents unnecessary key rollover delays. [GL #2488]

Previously, a memory leak could occur when named failed to bind a UDP socket to a network interface. This has been fixed. [GL #2575]

comment:2 by thomas, 17 months ago

Owner: changed from blfs-book to thomas
Status: newassigned

comment:3 by thomas, 17 months ago

Resolution: fixed
Status: assignedclosed

Fixed in [94cbe4f813]

comment:4 by Douglas R. Reno, 17 months ago

Priority: normalelevated

Mark as elevated due to security fixes

comment:5 by Douglas R. Reno, 17 months ago

Priority: elevatedhigh

NVD has rated CVE-2021-25215 and CVE-2021-25216 as High, with special attention being focused on CVE-2021-25216.

Promoting to high on this basis, as well as the fact that remote code execution can be achieved when exploiting CVE-2021-25216 on 32-bit platforms.

comment:6 by Bruce Dubbs, 14 months ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.