oss-sec mailing list archives
ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705)
From: Matthijs Mekking <matthijs () isc org>
Date: Wed, 29 Jan 2025 17:57:50 +0100
On 29 January 2025 we (Internet Systems Consortium) disclosed two vulnerabilities affecting our BIND 9 software:
- CVE-2024-11187: Many records in the additional section cause CPU exhaustion https://kb.isc.org/docs/cve-2024-11187 - CVE-2024-12705: DNS-over-HTTPS implementation suffers from multiple issues under heavy query load https://kb.isc.org/docs/cve-2024-12705
New versions of BIND 9 are available from https://www.isc.org/downloadsOperators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of each published release directory:
- https://downloads.isc.org/isc/bind9/9.18.33/patches/ - https://downloads.isc.org/isc/bind9/9.20.5/patches/ - https://downloads.isc.org/isc/bind9/9.21.4/patches/With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released.
Attachment:
OpenPGP_0xD507944581A036B9.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705) Matthijs Mekking (Jan 29)