As per upstream advisory: Change 4885 inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain. An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone.
Acknowledgments: Name: ISC Upstream: Joop Boonen (credativ GmbH)
Created attachment 1711688 [details] Patch against 9.11.22
External References: https://kb.isc.org/docs/cve-2020-8624
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1870906]
Upstream commit: https://gitlab.isc.org/isc-projects/bind9/-/commit/e4cccf9668c7adee4724a7649ec64685f82c8677
This error was introduced by upstream change 8f1ed05dc0a[1], which is contained only in 9.11 branch. Previous release 9.9.4 already has correct difference between "zonesub" and "subdomain" types. This is kind of regression noted much later. 1. https://gitlab.isc.org/isc-projects/bind9/commit/8f1ed05dc0aae7ae6c3da6ec6d405df61257a61e
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4500 https://access.redhat.com/errata/RHSA-2020:4500
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8624
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5011 https://access.redhat.com/errata/RHSA-2020:5011
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:5203 https://access.redhat.com/errata/RHSA-2020:5203