ISC BIND TKEY Query Out-Of-Bounds Read Information Disclosure Vulnerability
jmoellers at suse.de
Wed Jun 16 12:33:05 UTC 2021
On 16.06.21 13:28, Tony Finch wrote:
> Josef Moellers <jmoellers at suse.de> wrote:
>> So far, I'm still stuck with this problem of backporting the fix.
>> I'm assuming that the information is not to be disclosed, so I'll try
>> and tackle it from a different angle:
> The change you are looking for is:
> 5609. [func] The ISC implementation of SPNEGO was removed from BIND 9
> source code. It was no longer necessary as all major
> contemporary Kerberos/GSSAPI libraries include support
> for SPNEGO. [GL #2607]
> The CVE description basically says that they deleted the vulnerable code,
> rather than fixing it, because other Kerberos libraries provide better
> SPNEGO implementations.
> So the fix for your backport is to add --disable-isc-spnego to the build
> options, to make it it use Heimdal or MIT Kerberos instead.
You just saved my day! I definitely owe you one.
As I already fixed CVE-2020-8625, ISC's it's probably gone already.
>> How do I send a "TKEY Query" in the first place?
> I have wondered the same thing ...
Thanks again and ... stay healthy!
SUSE Software Solutions Germany GmbH
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
More information about the bind-workers