Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 786555 (CVE-2021-25214, CVE-2021-25215, CVE-2021-25216) - <net-dns/bind-9.16.15: Multiple vulnerabilities (CVE-2021-{25214,25215,25216})
Summary: <net-dns/bind-9.16.15: Multiple vulnerabilities (CVE-2021-{25214,25215,25216})
Status: RESOLVED FIXED
Alias: CVE-2021-25214, CVE-2021-25215, CVE-2021-25216
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-28 21:08 UTC by Sam James
Modified: 2021-05-12 19:05 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-28 21:08:46 UTC
* CVE-2021-25214

Description:
"When a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed."

Advisory: https://kb.isc.org/docs/cve-2021-25214

* CVE-2021-25215

Description:
"When a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check."

Advisory: https://kb.isc.org/docs/cve-2021-25215

* CVE-2021-25216

Description:
"BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options."

Advisory: https://kb.isc.org/docs/cve-2021-25216

---
Please bump to 9.16.15.
Comment 1 Attila Tóth 2021-05-02 18:24:47 UTC
bind-9.16.15 is available upstreams and compiles as expected.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-05-12 19:05:21 UTC
No glsa for this bug.