As per upstream advisory: GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network. SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG. The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.
Acknowledgments: Name: ISC Upstream: Trend Micro Zero Day Initiative
Statement: Versions of bind package shipped with Red Hat Enterprise Linux do not enable ISC SPNEGO and therefore are not affected by this flaw.
Mitigation: This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features.
External References: https://kb.isc.org/docs/cve-2021-25216
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1954904]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25216