oss-sec mailing list archives

Re: ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076)

From: Valtteri Vuorikoski <vuori () notcom org>
Date: Wed, 31 Jul 2024 12:41:59 +0300

On Tue, Jul 23, 2024 at 01:59:07PM +0000, Aram Sargsyan wrote:

On 23 July 2024 we (Internet Systems Consortium) disclosed four vulnerabilities affecting our BIND 9 software:

- CVE-2024-1975:        SIG(0) can be used to exhaust CPU resources https://kb.isc.org/docs/cve-2024-1975


Note to anyone running 9.18 series (which means at least all Debian 12
installations) that the "fix" for this CVE in that branch is the complete
removal of SIG(0) dynamic DNS update support. Not just a disabled-by-default
config option, but the actual removal of the relevant code.

The actual mitigation for the issue is only available in the 9.20 series.

IMO this seems like a rather drastic way of doing things for a 0.0.1 patch
release to a purportedly stable branch. Anyway reverting
https://github.com/isc-projects/bind9/commit/bef3d2cca3552100bbe44790c8c1a4f5bef06798
restores SIG(0) support (along with the vulnerability) for those who prefer to
live dangerously.

 -Valtteri

Current thread:

ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Aram Sargsyan (Jul 23)
- Re: ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Valtteri Vuorikoski (Jul 31)