Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 786555 (CVE-2021-25214, CVE-2021-25215, CVE-2021-25216)

Summary: <net-dns/bind-9.16.15: Multiple vulnerabilities (CVE-2021-{25214,25215,25216})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: atoth, chutzpah, jasmin+gentoo, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-28 21:08:46 UTC 
* CVE-2021-25214

Description:
"When a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed."

Advisory: https://kb.isc.org/docs/cve-2021-25214

* CVE-2021-25215

Description:
"When a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check."

Advisory: https://kb.isc.org/docs/cve-2021-25215

* CVE-2021-25216

Description:
"BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options."

Advisory: https://kb.isc.org/docs/cve-2021-25216

---
Please bump to 9.16.15.
Comment 1 Attila Tóth 2021-05-02 18:24:47 UTC 
bind-9.16.15 is available upstreams and compiles as expected.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-05-12 19:05:21 UTC 
No glsa for this bug.