INFSA-2025:21110: bind security update
Information about definition
Identificator: INFSA-2025:21110
Type: security
Release date: 2025-12-01 14:24:56 UTC
Information about package
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Vulnerabilities description
- CVE-2025-40778
A vulnerability exists in BIND’s DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. Under certain conditions, this flaw allows attackers to inject unsolicited or forged DNS records into the cache. This can be exploited to poison the resolver cache, redirecting clients to malicious domains or unauthorized servers.
- CVE-2025-40780
ISC BIND could allow a remote attacker to poison the DNS cache, caused by a weakness in the Pseudo Random Number Generator (PRNG). An attacker could exploit this vulnerability to predict the source port and query ID that BIND will use.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-40778
|
no information | 8.6 | no information |
|
NIST — CVE-2025-40780
|
no information | 8.6 | no information |
Updated packages
Preparing to download...