CVE-2020-8621

NameCVE-2020-8621
DescriptionIn BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)jessie, jessie (lts)1:9.9.5.dfsg-9+deb8u30fixed
stretch (security)1:9.10.3.dfsg.P4-12.3+deb9u12fixed
stretch (lts), stretch1:9.10.3.dfsg.P4-12.3+deb9u15fixed
buster1:9.11.5.P4+dfsg-5.1+deb10u7fixed
buster (security)1:9.11.5.P4+dfsg-5.1+deb10u10fixed
bullseye1:9.16.44-1~deb11u1fixed
bullseye (security)1:9.16.48-1fixed
bookworm1:9.18.19-1~deb12u1fixed
bookworm (security)1:9.18.24-1fixed
sid, trixie1:9.19.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9sourcejessie(not affected)
bind9sourcestretch(not affected)
bind9sourcebuster(not affected)
bind9source(unstable)1:9.16.6-1

Notes

[buster] - bind9 <not-affected> (Vulnerable code introduced in 9.14.x)
[stretch] - bind9 <not-affected> (Vulnerable code introduced in 9.14.x)
https://kb.isc.org/docs/cve-2020-8621
https://gitlab.isc.org/isc-projects/bind9/commit/81514ff925dfc6e0c293745e0fc8320a8af95586 (v9_16_6)
[jessie] - bind9 <not-affected> (Vulnerable code introduced 9.14)

Search for package or bug name: Reporting problems