On Tue, Jul 23, 2024 at 01:59:07PM +0000, Aram Sargsyan wrote: > On 23 July 2024 we (Internet Systems Consortium) disclosed four > vulnerabilities affecting our BIND 9 software: > > - CVE-2024-1975: SIG(0) can be used to exhaust CPU resources > https://kb.isc.org/docs/cve-2024-1975
Note to anyone running 9.18 series (which means at least all Debian 12 installations) that the "fix" for this CVE in that branch is the complete removal of SIG(0) dynamic DNS update support. Not just a disabled-by-default config option, but the actual removal of the relevant code. The actual mitigation for the issue is only available in the 9.20 series. IMO this seems like a rather drastic way of doing things for a 0.0.1 patch release to a purportedly stable branch. Anyway reverting https://github.com/isc-projects/bind9/commit/bef3d2cca3552100bbe44790c8c1a4f5bef06798 restores SIG(0) support (along with the vulnerability) for those who prefer to live dangerously. -Valtteri
