Skip to content

GitLab

Projects Groups Snippets

/

Help
Register
Sign in

BIND
Project information
- Project information
- Activity
- Labels
- Members
Repository
- Repository
- Files
- Commits
- Branches
- Tags
- Contributors
- Graph
- Compare
Issues 603
- Issues 603
- List
- Boards
- Service Desk
- Milestones
Merge requests 87
- Merge requests 87
CI/CD
- CI/CD
- Pipelines
- Jobs
- Schedules
Deployments
- Deployments
- Environments
- Releases
Packages and registries
- Packages and registries
- Container Registry
Monitor
- Monitor
- Incidents
Analytics
- Analytics
- Value stream
- CI/CD
- Repository
Wiki
- Wiki
Snippets
- Snippets
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards

Collapse sidebar

ISC Open Source Projects
BIND
Issues
#3158

Closed

Open

Issue created Feb 16, 2022 by Michal Nowak @mnowakMaintainer15 of 15 checklist items completed15/15 checklist items

[CVE-2022-0635] DNAME lookups can trigger INSIST when synth-from-dnssec is enabled

Lookups involving a DNAME could trigger an INSIST when synth-from-dnssec is enabled.

https://wiki.isc.org/bin/view/Main/SecurityIncident202202DNAMELookupsINSISTWhenSynthFromDnssecEnabled

CVE-specific actions

Assign a CVE identifier
Determine CVSS score
Determine the range of BIND versions affected (including the Subscription Edition)
- 9.18.0
Determine whether workarounds for the problem exists
- Issue can be mitigated by setting synth-from-dnssec no;.
Create a draft of the security advisory and put the information above in there
- https://mattermost.isc.org/isc/channels/cve-2022-0635-dname-insist-with-synth-from-dnssec-enabled/1ksboiszftncxkpfjpeiafm19o
Prepare a detailed description of the problem which should include the following by default:
- instructions for reproducing the problem (a system test is good enough)
  - synthfromdnssec system test in isc-private/bind9!370
- explanation of code flow which triggers the problem (a system test is not good enough)
  - #3158 (comment 267910)
Prepare a private merge request containing the following items in separate commits:
- a test for the issue (may be moved to a separate merge request for deferred merging)
  - isc-private/bind9!370
- a fix for the issue
  - isc-private/bind9!390
- documentation updates (CHANGES, release notes, anything else applicable)
  - isc-private/bind9!390
Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
- https://gitlab.isc.org/isc-private/bind9/-/merge_requests/368#note_268053
Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
- v9.18 isc-private/bind9!391 & isc-private/bind9!372
Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
- patch for BIND 9.18.0 release derived from isc-private/bind9!391 diff and stripped of documentation changes: 391.diff

Release-specific actions

Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

Post-disclosure actions

Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches

Edited Apr 05, 2022 by Michal Nowak

Assignee

Assign to

Time tracking