CVE-2020-8622

Name	CVE-2020-8622
Description	In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2355-1, DSA-4752-1, ELA-270-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bind9 (PTS)	jessie, jessie (lts)	1:9.9.5.dfsg-9+deb8u30	fixed
	stretch (security)	1:9.10.3.dfsg.P4-12.3+deb9u12	fixed
	stretch (lts), stretch	1:9.10.3.dfsg.P4-12.3+deb9u15	fixed
	buster	1:9.11.5.P4+dfsg-5.1+deb10u7	fixed
	buster (security)	1:9.11.5.P4+dfsg-5.1+deb10u10	fixed
	bullseye	1:9.16.44-1~deb11u1	fixed
	bullseye (security)	1:9.16.48-1	fixed
	bookworm	1:9.18.19-1~deb12u1	fixed
	bookworm (security)	1:9.18.24-1	fixed
	sid, trixie	1:9.19.21-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
bind9	source	jessie	1:9.9.5.dfsg-9+deb8u20	ELA-270-1
bind9	source	stretch	1:9.10.3.dfsg.P4-12.3+deb9u7	DLA-2355-1
bind9	source	buster	1:9.11.5.P4+dfsg-5.1+deb10u2	DSA-4752-1
bind9	source	(unstable)	1:9.16.6-1

Notes

https://kb.isc.org/docs/cve-2020-8622
https://gitlab.isc.org/isc-projects/bind9/commit/0eec632d6a5a474280017ec949d8a8014612f3b3 (v9_16_6)
https://gitlab.isc.org/isc-projects/bind9/commit/6ed167ad0a647dff20c8cb08c944a7967df2d415 (v9_11_22)