BIND DNS Server 9.11.37, 9.16.27, and 9.18.1 Stable Branch Updates have been released to fix four vulnerabilities:
- CVE-2021-25220 - Possibility of substituting incorrect NS records into the DNS server cache (cache poisoning), which can lead to incorrect DNS servers that return false information. The problem manifests itself in resolvers operating in the βforward firstβ (default) or βforward onlyβ modes, in the condition that one of the forwarders is compromised (NS records received from the forwarder settle in the cache and can then lead to to the wrong DNS server when making recursive queries).
- CVE-2022-0396 - Denial of service (infinitely hanging connections in the CLOSE_WAIT state) initiated by sending specially crafted TCP packets. The problem occurs only when the keep-response-order setting, which is not used by default, is enabled, and also when the keep-response-order option is specified in the ACL.
- CVE-2022-0635 - The named process could crash by sending certain requests to the server. The problem manifests itself when using the cache of verified DNSSEC queries (DNSSEC-Validated Cache), which is enabled by default in the 9.18 branch (dnssec-validation and synth-from-dnssec settings).
- CVE-2022-0667 - The named process may crash when processing pending DS requests. The issue only appears in the BIND 9.18 branch and is caused by a bug that was made while refactoring the client code to process requests recursively.
Source: opennet.ru