ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076)

[Aram Sargsyan <aram () isc org>]

On 23 July 2024 we (Internet Systems Consortium) disclosed four vulnerabilities affecting our BIND 9 software:

- CVE-2024-0760:        A flood of DNS messages over TCP may make the server unstable 
https://kb.isc.org/docs/cve-2024-0760
- CVE-2024-1737:        BIND's database will be slow if a very large number of RRs exist at the same name 
https://kb.isc.org/docs/cve-2024-1737
- CVE-2024-1975:        SIG(0) can be used to exhaust CPU resources https://kb.isc.org/docs/cve-2024-1975
- CVE-2024-4076:        Assertion failure when serving both stale cache data and authoritative zone content 
https://kb.isc.org/docs/cve-2024-4076

New versions of BIND 9 are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific 
patches in the "patches" subdirectory of each published release directory:

- https://downloads.isc.org/isc/bind9/9.18.28/patches/

With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages 
that have been prepared may be released.