ISC BIND TKEY Query Out-Of-Bounds Read Information Disclosure Vulnerability

Tony Finch dot at
Wed Jun 16 11:28:33 UTC 2021

Josef Moellers <jmoellers at> wrote:
> So far, I'm still stuck with this problem of backporting the fix.
> I'm assuming that the information is not to be disclosed, so I'll try
> and tackle it from a different angle:

The change you are looking for is:

5609.   [func]          The ISC implementation of SPNEGO was removed from BIND 9
                        source code. It was no longer necessary as all major
                        contemporary Kerberos/GSSAPI libraries include support
                        for SPNEGO. [GL #2607]

The CVE description basically says that they deleted the vulnerable code,
rather than fixing it, because other Kerberos libraries provide better
SPNEGO implementations.

So the fix for your backport is to add --disable-isc-spnego to the build
options, to make it it use Heimdal or MIT Kerberos instead.

> How do I send a "TKEY Query" in the first place?

I have wondered the same thing ...

f.anthony.n.finch  <dot at>
no one shall be enslaved by poverty, ignorance, or conformity

More information about the bind-workers mailing list