ISC BIND TKEY Query Out-Of-Bounds Read Information Disclosure Vulnerability

Josef Moellers jmoellers at
Wed Jun 16 12:33:05 UTC 2021

Hello Tony,

On 16.06.21 13:28, Tony Finch wrote:
> Josef Moellers <jmoellers at> wrote:
>> So far, I'm still stuck with this problem of backporting the fix.
>> I'm assuming that the information is not to be disclosed, so I'll try
>> and tackle it from a different angle:
> The change you are looking for is:
> 5609.   [func]          The ISC implementation of SPNEGO was removed from BIND 9
>                         source code. It was no longer necessary as all major
>                         contemporary Kerberos/GSSAPI libraries include support
>                         for SPNEGO. [GL #2607]
> The CVE description basically says that they deleted the vulnerable code,
> rather than fixing it, because other Kerberos libraries provide better
> SPNEGO implementations.
> So the fix for your backport is to add --disable-isc-spnego to the build
> options, to make it it use Heimdal or MIT Kerberos instead.

You just saved my day! I definitely owe you one.
As I already fixed CVE-2020-8625, ISC's it's probably gone already.

>> How do I send a "TKEY Query" in the first place?
> I have wondered the same thing ...

Thanks again and ... stay healthy!

SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

More information about the bind-workers mailing list