Skip to content

GitLab

Explore

Sign in
Register

[CVE-2022-0635] DNAME lookups can trigger INSIST when synth-from-dnssec is enabled

Lookups involving a DNAME could trigger an INSIST when synth-from-dnssec is enabled.

https://wiki.isc.org/bin/view/Main/SecurityIncident202202DNAMELookupsINSISTWhenSynthFromDnssecEnabled

CVE-specific actions

Assign a CVE identifier
Determine CVSS score
Determine the range of BIND versions affected (including the Subscription Edition)
- 9.18.0
Determine whether workarounds for the problem exists
- Issue can be mitigated by setting synth-from-dnssec no;.
Create a draft of the security advisory and put the information above in there
- https://mattermost.isc.org/isc/channels/cve-2022-0635-dname-insist-with-synth-from-dnssec-enabled/1ksboiszftncxkpfjpeiafm19o
Prepare a detailed description of the problem which should include the following by default:
- instructions for reproducing the problem (a system test is good enough)
  - synthfromdnssec system test in isc-private/bind9!370
- explanation of code flow which triggers the problem (a system test is not good enough)
  - #3158 (comment 267910)
Prepare a private merge request containing the following items in separate commits:
- a test for the issue (may be moved to a separate merge request for deferred merging)
  - isc-private/bind9!370
- a fix for the issue
  - isc-private/bind9!390
- documentation updates (CHANGES, release notes, anything else applicable)
  - isc-private/bind9!390
Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
- https://gitlab.isc.org/isc-private/bind9/-/merge_requests/368#note_268053
Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
- v9.18 isc-private/bind9!391 & isc-private/bind9!372
Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
- patch for BIND 9.18.0 release derived from isc-private/bind9!391 diff and stripped of documentation changes: 391.diff

Release-specific actions

Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

Post-disclosure actions

Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches

Edited Apr 05, 2022 by Michal Nowak

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Assignee

Time tracking