<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>TKEY queries are sent during kerberos authenticated updates. They
should be used, when update using nsupdate -g is used. It is not
easy to debug failures in those, but nsupdate -g -d -D might help.</p>
<p>I have received this issue bug too, without any obvious link to
CVE number assigned. It would be nice if ISC could confirm this is
about the same issue as mentioned CVE, just reported from
different party. It just claims it was fixed in 9.16.15, from
where I guessed it should be this change.</p>
<p>Guessing is not comfortable way to fix security vulnerabilities
though. <strong>CVSS Score </strong>is different. Could it be
original report, which was proved to be worse later? Is it
irelevant since original code containing that issue is no longer
shipped?<br>
<strong></strong></p>
<div class="moz-cite-prefix">On 6/16/21 1:28 PM, Tony Finch wrote:<br>
</div>
<blockquote type="cite"
cite="mid:60ad8760-5a84-9dc5-44cd-ef78b6de2d24@dotat.at">
<pre class="moz-quote-pre" wrap="">Josef Moellers <a class="moz-txt-link-rfc2396E" href="mailto:jmoellers@suse.de"><jmoellers@suse.de></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
So far, I'm still stuck with this problem of backporting the fix.
I'm assuming that the information is not to be disclosed, so I'll try
and tackle it from a different angle:
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
The change you are looking for is:
5609. [func] The ISC implementation of SPNEGO was removed from BIND 9
source code. It was no longer necessary as all major
contemporary Kerberos/GSSAPI libraries include support
for SPNEGO. [GL #2607]
The CVE description basically says that they deleted the vulnerable code,
rather than fixing it, because other Kerberos libraries provide better
SPNEGO implementations.
<a class="moz-txt-link-freetext" href="https://kb.isc.org/docs/cve-2021-25216">https://kb.isc.org/docs/cve-2021-25216</a>
So the fix for your backport is to add --disable-isc-spnego to the build
options, to make it it use Heimdal or MIT Kerberos instead.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">How do I send a "TKEY Query" in the first place?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I have wondered the same thing ...
Tony.
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>