CVE-2020-8616

NameCVE-2020-8616
DescriptionA malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2227-1, DSA-4689-1
NVD severitymedium
Debian Bugs961939

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)jessie1:9.9.5.dfsg-9+deb8u15vulnerable
jessie (security)1:9.9.5.dfsg-9+deb8u19fixed
stretch1:9.10.3.dfsg.P4-12.3+deb9u5vulnerable
stretch (security)1:9.10.3.dfsg.P4-12.3+deb9u6fixed
buster1:9.11.5.P4+dfsg-5.1vulnerable
buster (security)1:9.11.5.P4+dfsg-5.1+deb10u1fixed
bullseye, sid1:9.16.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9source(unstable)1:9.16.3-1961939
bind9sourcebuster1:9.11.5.P4+dfsg-5.1+deb10u1DSA-4689-1
bind9sourcejessie1:9.9.5.dfsg-9+deb8u19DLA-2227-1
bind9sourcestretch1:9.10.3.dfsg.P4-12.3+deb9u6DSA-4689-1

Notes

https://kb.isc.org/docs/cve-2020-8616

Search for package or bug name: Reporting problems