From URL: Description: GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network. SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG. The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack. Impact: BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible.
Well, there was a regression which caused a crash when handling certain requests that is already patched: https://gitlab.isc.org/isc-projects/bind9/-/issues/2503 Note that ISC are not treating this issue as a security issue, because "this is a newly introduced option and disabled by default": https://www.openwall.com/lists/oss-security/2021/02/19/5
(In reply to John Helmert III (ajak) from comment #1) > Well, there was a regression which caused a crash when handling certain > requests that is already patched: > https://gitlab.isc.org/isc-projects/bind9/-/issues/2503 > > Note that ISC are not treating this issue as a security issue, because "this > is a newly introduced option and disabled by default": > > https://www.openwall.com/lists/oss-security/2021/02/19/5 And another, workaround included (and probably patches somewhere): https://lists.isc.org/pipermail/bind-announce/2021-February/001180.html