CVE-2020-8616

NameCVE-2020-8616
DescriptionA malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2227-1, DSA-4689-1, ELA-230-1
Debian Bugs961939

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)jessie, jessie (lts)1:9.9.5.dfsg-9+deb8u30fixed
stretch (security)1:9.10.3.dfsg.P4-12.3+deb9u12fixed
stretch (lts), stretch1:9.10.3.dfsg.P4-12.3+deb9u15fixed
buster1:9.11.5.P4+dfsg-5.1+deb10u7fixed
buster (security)1:9.11.5.P4+dfsg-5.1+deb10u10fixed
bullseye1:9.16.44-1~deb11u1fixed
bullseye (security)1:9.16.48-1fixed
bookworm1:9.18.19-1~deb12u1fixed
bookworm (security)1:9.18.24-1fixed
trixie, sid1:9.19.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9sourcewheezy1:9.8.4.dfsg.P1-6+nmu2+deb7u24ELA-230-1
bind9sourcejessie1:9.9.5.dfsg-9+deb8u19DLA-2227-1
bind9sourcestretch1:9.10.3.dfsg.P4-12.3+deb9u6DSA-4689-1
bind9sourcebuster1:9.11.5.P4+dfsg-5.1+deb10u1DSA-4689-1
bind9source(unstable)1:9.16.3-1961939

Notes

https://kb.isc.org/docs/cve-2020-8616
Search for package or bug name: Reporting problems