ISC BIND TKEY Query Out-Of-Bounds Read Information Disclosure Vulnerability
Tony Finch
dot at dotat.at
Wed Jun 16 11:28:33 UTC 2021
Josef Moellers <jmoellers at suse.de> wrote:
>
> So far, I'm still stuck with this problem of backporting the fix.
> I'm assuming that the information is not to be disclosed, so I'll try
> and tackle it from a different angle:
The change you are looking for is:
5609. [func] The ISC implementation of SPNEGO was removed from BIND 9
source code. It was no longer necessary as all major
contemporary Kerberos/GSSAPI libraries include support
for SPNEGO. [GL #2607]
The CVE description basically says that they deleted the vulnerable code,
rather than fixing it, because other Kerberos libraries provide better
SPNEGO implementations.
https://kb.isc.org/docs/cve-2021-25216
So the fix for your backport is to add --disable-isc-spnego to the build
options, to make it it use Heimdal or MIT Kerberos instead.
> How do I send a "TKEY Query" in the first place?
I have wondered the same thing ...
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
no one shall be enslaved by poverty, ignorance, or conformity
More information about the bind-workers
mailing list