Arch Linux 745 Published by

A bind security update has been released for Arch Linux.

ASA-202204-5: bind: multiple issues

Arch Linux Security Advisory ASA-202204-5

Severity: High
Date : 2022-04-04
CVE-ID : CVE-2021-25220 CVE-2022-0396 CVE-2022-0635 CVE-2022-0667
Package : bind
Type : multiple issues
Remote : Yes
Link :


The package bind before version 9.18.1-1 is vulnerable to multiple
issues including denial of service and content spoofing.


Upgrade to 9.18.1-1.

# pacman -Syu "bind>=9.18.1-1"

The problems have been fixed upstream in version 9.18.1.


- CVE-2021-25220

If applicable, modify your configuration to either remove all
forwarding or all possibility of recursion. Depending on your use-case,
it may be possible to use other zone types to replace forward zones.

- CVE-2022-0396

use the default setting of keep-response-order { none; }.

- CVE-2022-0635

The failure can be avoided by adding this option to named.conf:

synth-from-dnssec no;

However we do not recommend disabling this feature other than as a
temporary workaround because it provides protection from pseudo-random-
subdomain attacks against DNSSEC-signed zones.


- CVE-2021-25220 (content spoofing)

When using forwarders in BIND, bogus NS records supplied by, or via,
those forwarders may be cached and used by named if it needs to recurse
for any reason, causing it to obtain and pass on potentially incorrect
answers. The cache could become poisoned with incorrect records leading
to queries being made to the wrong servers, which might also result in
false information being returned to clients. Authoritative-only BIND 9
servers are not vulnerable to this flaw.

- CVE-2022-0396 (denial of service)

ISC recently discovered an issue in BIND that allows TCP connection
slots to be consumed for an indefinite time frame via a specifically
crafted TCP stream sent from a client. This issue is present in BIND
9.16.11 to 9.16.26 (including S editions), and 9.18.0.

This issue can only be triggered on BIND servers which have keep-
response-order enabled, which is not the default configuration. The
keep-response-order option is an ACL block; any hosts which are
specified within it will be able to trigger this issue on affected
versions. Specifically crafted TCP streams can cause connections to
BIND to remain in CLOSE_WAIT status for an indefinite period of time,
even after the client has terminated the connection.

- CVE-2022-0635 (denial of service)

BIND 9.18.0 stable release refactored the RFC 8198 Aggressive Use of
DNSSEC-Validated Cache feature (synth-from-dnssec) and changed the
default so that is now automatically enabled for dnssec-validating
resolvers. Subsequently it was found that repeated patterns of specific
queries to servers with this feature enabled could cause an INSIST
failure in query.c:query_dname which causes named to terminate

The vulnerability affects BIND resolvers running 9.18.0 that have both
dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-
validation auto; is the default setting unless configured otherwise in
named.conf and that enabling dnssec-validation automatically enables
synth-from-dnssec unless explicitly disabled) When a vulnerable version
of named receives a series of specific queries, the named process will
eventually terminate due to a failed assertion check.

- CVE-2022-0667 (denial of service)

In BIND 9.18.0 the recursive client code was refactored that introduced
a "backstop lifetime timer". While BIND is processing a request for a
DS record that needs to be forwarded, it waits until this processing is
complete or until the backstop lifetime timer has timed out. When the
resume_dslookup() function is called as a result of such a timeout, the
function does not test whether the fetch has previously been shut down.
This introduces the possibility of triggering an assertion failure,
which could cause the BIND process to terminate.


A remote attacker is able to crash the application or force TCP
connections to BIND to remain in CLOSE_WAIT status leading to denial of
service on the affected host. Furthermore the cache could become
poisoned leading to queries being made to the wrong servers, which
might also result in false information being returned to clients.