From distros mailing list

msg-18093-2.txt

To the packagers and redistributors of BIND 9:

ISC would like to make you aware of an upcoming security disclosure,
scheduled for Wednesday May 18, 2022, covering one high-severity
BIND vulnerability.  Please consider this information confidential
and under embargo until ISC publicly announces the vulnerability
on the disclosure date.

CVE-2022-1183 affects only two branches of BIND, but all publicly 
released versions of BIND from these two branches are vulnerable:

   - BIND 9.18 branch - Current-Stable
   - BIND 9.19 branch - Development/Experimental

No released versions in the 9.16 branch (Current-Stable, ESV) are affected

Although updated packages should not be released until ISC discloses
this vulnerability on the 18th, early access is being provided to
the May maintenance releases of BIND so that packagers can have
updated offerings available quickly after public disclosure.

Maintainers who prefer to selectively choose which fixes to apply can
find a vulnerability-specific patch diff in the "patches" subdirectory
of the release directories listed below (for the affected open-source
production branches of BIND 9)

New releases of BIND that correct the vulnerabilities AND include
other fixes and feature changes added for the May maintenance
releases are available via:

   production branches:

   -  The BIND 9.16 branch is not affected by CVE-2022-1183 and does
      not require early access to a replacement release at this time,
      though a normal maintenance release (BIND 9.16.29) containing other
      bug fixes will be available on the 18th at the time of public
      disclosure.

   -  9.18.3: 
https://downloads.isc.org/isc/bind9/private/7d2287d2def927f9

   development branch:

   -  9.19.1: 
https://downloads.isc.org/isc/bind9/private/04a7daf5b21846fd


Cathy Almond
(for ISC Security Officer)

-----

CVE-2022-1183: Destroying a TLS session early causes assertion failure

CVE: CVE-2022-1183

Document version: 1.0

Posting date: 18 May 2022

Program impacted: BIND

Versions affected: BIND 9.18.0 -> 9.18.2 and 9.19.0 of the BIND 9.19
development branch

Severity: High

Exploitable: Remotely

Description:

   An assertion failure can be triggered if a TLS connection to a
   configured http TLS listener with a defined endpoint is destroyed too
   early.

Impact:

   On vulnerable configurations, the named daemon may, in some
   circumstances, terminate with an assertion failure. Vulnerable
   configurations are those that include a reference to `http` within
   the `listen-on` statements in their `named.conf`. TLS is used by both
   DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using
   DoT alone are unaffected.

CVSS Score: 7.0

CVSS Vector: CVSS v3.1 Vector: 
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C&version=3.1.

Workarounds:

   No workarounds known.

Active exploits:

   We are not aware of any active exploits.

Solution:

   Upgrade to the patched release most closely related to your current
   version of BIND:

BIND 9.18.3 (Current Stable)
BIND 9.19.1 (Development)

Acknowledgments: ISC would like to thank Thomas Amgarten from arcade
solutions ag for for discovering and reporting this issue.

Document revision history:

1.0 Early Notification, 11 May 2022

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete listing of
security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory should
go to security-officer@isc.org. To report a new issue, please encrypt
your message using security-officer@isc.org's PGP key which can be
found here: https://www.isc.org/pgpkey/. If you are unable to use
encrypted email, you may also report new issues at:
https://www.isc.org/reportbug/.

Note:

ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see:
https://www.isc.org/download/ )

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be
found in the ISC Software Defect and Security Vulnerability Disclosure
Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2022-1183 is the
complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied warranty
of merchantability, fitness for a particular purpose, absence of
hidden defects, or of non-infringement. Your use or reliance on this
notice or materials referred to in this notice is at your own risk.
ISC may change this notice at any time. A stand-alone copy or
paraphrase of the text of this document that omits the document URL is
an uncontrolled copy. Uncontrolled copies may lack important
information, be out of date, or contain factual errors.