bind-9.8.2-0.68.8.0.3.rc1.AXS4

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

*bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security
policy negotiation (CVE-2020-8625)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2020-8625
BIND servers are vulnerable if they are running an affected version and are
configured to use GSS-TSIG features. In a configuration which uses BIND's
default settings the vulnerable code path is not exposed, but a server can be
rendered vulnerable by explicitly setting valid values for the
tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the
default configuration is not vulnerable, GSS-TSIG is frequently used in networks
where BIND is integrated with Samba, as well as in mixed-server environments
that combine BIND servers with Active Directory domain controllers. The most
likely outcome of a successful exploitation of the vulnerability is a crash of
the named process. However, remote code execution, while unproven, is
theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and
versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND
Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND
9.17 development branch