aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2021-03-31T16:17:59Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11884bind: Multiple vulnerabilities (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622,...2021-03-31T16:17:59ZAlicha CHbind: Multiple vulnerabilities (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624)### CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum bu...### CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum buffer size allows a specially crafted large TCP payload to trigger an assertion failure when it is received.
Affected Versions: BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3
Fixed In Version: BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8620
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c
While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit.
Affected Versions: BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3
Fixed In versions: BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8621
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit.
Affected Versions: BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8622
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c
If BIND is built with "--enable-native-pkcs11" then a specially crafted query for a zone signed with RSA can trigger an assertion failure.
Affected Versions: BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
#### References:
* https://kb.isc.org/docs/cve-2020-8623
* https://www.openwall.com/lists/oss-security/2020/08/20/2
### CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly
Change 4885 inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain.
Affected Versions: BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition
Fixed In versions: BIND 9.11.22, BIND 9.16.6, BIND 9.17.4
References:
https://kb.isc.org/docs/cve-2020-8624
https://www.openwall.com/lists/oss-security/2020/08/20/2
### Affected branches:
* [x] master (552c946)
* [x] 3.12-stable (8bacbe7)
* [x] 3.11-stable
* [x] 3.10-stable
* [ ] 3.9-stable (EOL)3.12.6Kevin DaudtKevin Daudt