From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 1 May 2026 06:37:56 +0000 (+0200)
Subject: [CVE-2026-3039] sec: usr: Fix GSS-API resource leak
X-Git-Tag: v9.21.22~7
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=01bdb7abeb3df74363c817aa67a480a20792a522;p=thirdparty%2Fbind9.git

[CVE-2026-3039] sec: usr: Fix GSS-API resource leak

Fixed a memory leak where each GSS-API TKEY negotiation leaked a
security context inside the GSS library. An unauthenticated attacker
could exhaust server memory by sending repeated TKEY queries to a
server with tkey-gssapi-keytab configured. The leaked memory was
allocated by the GSS library, bypassing BIND's memory accounting.

Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now
rejected, as BIND never supported it correctly and Kerberos/SPNEGO
completes in a single round.

Closes: https://gitlab.isc.org/isc-projects/bind9/-/issues/5752

Merge branch '5752-fix-memory-leak-in-TKEY-negotiation' into 'security-main'

See merge request isc-private/bind9!965
---

01bdb7abeb3df74363c817aa67a480a20792a522