Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <hwkl4p4igeqk2j2du4handrhtdcm2loitv6xdeozz3w4c5t3ul@ksr2ahgumsxi>
Date: Wed, 31 Jul 2024 12:41:59 +0300
From: Valtteri Vuorikoski <vuori@...com.org>
To: oss-security@...ts.openwall.com
Subject: Re: ISC has disclosed four vulnerabilities in BIND 9
 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076)

On Tue, Jul 23, 2024 at 01:59:07PM +0000, Aram Sargsyan wrote:
> On 23 July 2024 we (Internet Systems Consortium) disclosed four vulnerabilities affecting our BIND 9 software:
> 
> - CVE-2024-1975:        SIG(0) can be used to exhaust CPU resources https://kb.isc.org/docs/cve-2024-1975

Note to anyone running 9.18 series (which means at least all Debian 12
installations) that the "fix" for this CVE in that branch is the complete
removal of SIG(0) dynamic DNS update support. Not just a disabled-by-default
config option, but the actual removal of the relevant code.

The actual mitigation for the issue is only available in the 9.20 series.

IMO this seems like a rather drastic way of doing things for a 0.0.1 patch
release to a purportedly stable branch. Anyway reverting
https://github.com/isc-projects/bind9/commit/bef3d2cca3552100bbe44790c8c1a4f5bef06798
restores SIG(0) support (along with the vulnerability) for those who prefer to
live dangerously.

 -Valtteri

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.