New releases of BIND are available: 9.11.19, 9.14.12, and 9.16.3

Michael McNally mcnally at isc.org
Tue May 19 09:00:31 UTC 2020


Three new releases of BIND are available for download from
https://www.isc.org/downloads

BIND 9.11.19 and BIND 9.16.3 are the May 2020 releases of the two
currently supported stable branches of BIND.  In addition to
bug fixes and feature improvements, these releases also contain
security fixes for two "high" severity security vulnerabilities:

   CVE-2020-8616: BIND does not sufficiently limit the number
   of fetches performed when processing referrals

   CVE-2020-8617: A logic error in code which checks TSIG
   validity can be used to trigger an assertion failure in tsig.c

BIND 9.14.12 is the final planned release in the now End-of-Life (EOL)
9.14 branch.  It contains only the fixes for the two security
vulnerabilities and is the last 9.14 release that we intend to release.
If you are running 9.14 please use the time provided to plan your
migration to a currently supported release branch.

Release notes for the individual releases can be found at:

9.11.19:  https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
9.14.12:  https://downloads.isc.org/isc/bind9/9.14.12/RELEASE-NOTES-bind-9.14.12.html
9.16.3:   https://downloads.isc.org/isc/bind9/9.16.3/RELEASE-NOTES-bind-9.16.3.html

ISC have also released patch diffs for the two security vulnerabilities,
for those who wish to selectively patch the two CVE issues without
adopting all of the other changes that are in the latest maintenance
releases.

Patch diffs can be found in:

9.11 branch:  https://downloads.isc.org/isc/bind9/9.11.19/patches
9.14 branch:  https://downloads.isc.org/isc/bind9/9.14.12/patches
9.16 branch:  https://downloads.isc.org/isc/bind9/9.16.3/patches


More information about the bind-announce mailing list