Bug 1869480 (CVE-2020-8624)
Summary: | CVE-2020-8624 bind: incorrect enforcement of update-policy rules of type "subdomain" | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | aegorenk, anon.amish, mruprich, msehnout, pemensik, pzhukov, security-response-team, thozza, vonsch, yozone, zdohnal | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | bind 9.11.22, bind 9.16.6, bind 9.17.4 | Doc Type: | If docs needed, set a value | ||||
Doc Text: |
A flaw was found in bind. Updates to "Update-policy" rules of type "subdomain" are treated as if they were of type "zonesub" which allows updates to all parts of the zone along with the intended subdomain. The highest threat from this vulnerability is to data integrity.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-11-04 02:26:30 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1869501, 1869502, 1870906, 1874953, 1874955, 1874958, 1874961 | ||||||
Bug Blocks: | 1869469 | ||||||
Attachments: |
|
Description
Huzaifa S. Sidhpurwala
2020-08-18 05:10:33 UTC
Acknowledgments: Name: ISC Upstream: Joop Boonen (credativ GmbH) Created attachment 1711688 [details]
Patch against 9.11.22
External References: https://kb.isc.org/docs/cve-2020-8624 Created bind tracking bugs for this issue: Affects: fedora-all [bug 1870906] Upstream commit: https://gitlab.isc.org/isc-projects/bind9/-/commit/e4cccf9668c7adee4724a7649ec64685f82c8677 This error was introduced by upstream change 8f1ed05dc0a[1], which is contained only in 9.11 branch. Previous release 9.9.4 already has correct difference between "zonesub" and "subdomain" types. This is kind of regression noted much later. 1. https://gitlab.isc.org/isc-projects/bind9/commit/8f1ed05dc0aae7ae6c3da6ec6d405df61257a61e This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4500 https://access.redhat.com/errata/RHSA-2020:4500 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8624 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5011 https://access.redhat.com/errata/RHSA-2020:5011 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:5203 https://access.redhat.com/errata/RHSA-2020:5203 |