[Bugs] [Bug 13217] New: bind 9.16.24 cve-s found

Вс Апр 16 21:13:38 MSK 2023

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13217

          Platform: 2021.1
            Bug ID: 13217
           Summary: bind 9.16.24 cve-s found
    Classification: ROSA-based products
           Product: Certified ROSA distros
           Version: Chrome
          Hardware: All
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
  Target Milestone: ---
             Group: ROSA-plus-NTCIT

CVE-2019-6470   There had existed in one of the ISC BIND libraries a bug in a
function that was used by dhcpd when operating in DHCPv6 mode. There was also a
bug in dhcpd relating to the use of this function per its documentation, but
the bug in the library function prevented this from causing any harm. All
releases of dhcpd from ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known to not
present issues like this. Some third-party packagers of ISC software have
modified the dhcpd source, BIND source, or version matchup in ways that create
the crash potential. Based on reports available to ISC, the crash probability
is large and no analysis has been done on how, or even if, the probability can
be manipulated by an attacker. Affects: Builds of dhcpd versions prior to
version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with
specific bug fixes backported to them. ISC does not have access to
comprehensive version lists for all repackagings of dhcpd that are vulnerable.
In particular, builds from other vendors may also be affected. Operators are
advised to consult their vendor documentation.      
https://nvd.nist.gov/vuln/detail/CVE-2019-6470  HIGH

CVE-2019-6471   A race condition which may occur when discarding malformed
packets can result in BIND exiting due to a REQUIRE assertion failure in
dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1,
9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and
version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview
Edition versions 9.11.3-S1 -> 9.11.7-S1.      
https://nvd.nist.gov/vuln/detail/CVE-2019-6471  MEDIUM

CVE-2019-6475   Mirror zones are a BIND feature allowing recursive servers to
pre-cache zone data provided by other servers. A mirror zone is similar to a
zone of type secondary, except that its data is subject to DNSSEC validation
before being used in answers, as if it had been looked up via traditional
recursion, and when mirror zone data cannot be validated, BIND falls back to
using traditional recursion instead of the mirror zone. However, an error in
the validity checks for the incoming zone data can allow an on-path attacker to
replace zone data that was validated with a configured trust anchor with forged
data of the attacker's choosing. The mirror zone feature is most often used to
serve a local copy of the root zone. If an attacker was able to insert
themselves into the network path between a recursive server using a mirror zone
and a root name server, this vulnerability could then be used to cause the
recursive server to accept a copy of falsified root zone data. This affects
BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.   
https://nvd.nist.gov/vuln/detail/CVE-2019-6475  HIGH

CVE-2019-6476   A defect in code added to support QNAME minimization can cause
named to exit with an assertion failure if a forwarder returns a referral
rather than resolving the query. This affects BIND versions 9.14.0 up to
9.14.6, and 9.15.0 up to 9.15.4.     
https://nvd.nist.gov/vuln/detail/CVE-2019-6476  HIGH

CVE-2019-6477   With pipelining enabled each incoming query on a TCP connection
requires a similar resource allocation to a query received via UDP or via TCP
without pipelining enabled. A client using a TCP-pipelined connection to a
server could consume more resources than the server has been provisioned to
handle. When a TCP connection with a large number of pipelined queries is
closed, the load on the server releasing these multiple resources can cause it
to become unresponsive, even for queries that can be answered authoritatively
or from cache. (This is most likely to be perceived as an intermittent server
problem).     https://nvd.nist.gov/vuln/detail/CVE-2019-6477  HIGH

CVE-2022-0396   BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions
9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically
crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT
status for an indefinite period of time, even after the client has terminated
the connection.     https://nvd.nist.gov/vuln/detail/CVE-2022-0396  MEDIUM

CVE-2022-2795   By flooding the target resolver with queries exploiting this
flaw an attacker can significantly impair the resolver's performance,
effectively denying legitimate clients access to the DNS resolution service.
https://nvd.nist.gov/vuln/detail/CVE-2022-2795  HIGH

CVE-2022-3080   By sending specific queries to the resolver, an attacker can
cause named to crash.      https://nvd.nist.gov/vuln/detail/CVE-2022-3080  HIGH
CVE-2022-3094   Sending a flood of dynamic DNS updates may cause `named` to
allocate large amounts of memory. This, in turn, may cause `named` to exit due
to a lack of free memory. We are not aware of any cases where this has been
exploited. Memory is allocated prior to the checking of access permissions
(ACLs) and is retained during the processing of a dynamic update from a client
whose access credentials are accepted. Memory allocated to clients that are not
permitted to send updates is released immediately upon rejection. The scope of
this vulnerability is limited therefore to trusted clients who are permitted to
make dynamic zone changes. If a dynamic update is REFUSED, memory will be
released again very quickly. Therefore it is only likely to be possible to
degrade or stop `named` by sending a flood of unaccepted dynamic updates
comparable in magnitude to a query flood intended to achieve the same
detrimental outcome. BIND 9.11 and earlier branches are also affected, but
through exhaustion of internal resources rather than memory constraints. This
may reduce performance but should not be a significant problem for most
servers. Therefore we don't intend to address this for BIND versions prior to
BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0
through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.      
https://nvd.nist.gov/vuln/detail/CVE-2022-3094  HIGH

CVE-2022-3736   BIND 9 resolver can crash when stale cache and stale answers
are enabled, option `stale-answer-client-timeout` is set to a positive integer,
and the resolver receives an RRSIG query. This issue affects BIND 9 versions
9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and
9.16.12-S1 through 9.16.36-S1.   
https://nvd.nist.gov/vuln/detail/CVE-2022-3736  HIGH

CVE-2022-38177  By spoofing the target resolver with responses that have a
malformed ECDSA signature, an attacker can trigger a small memory leak. It is
possible to gradually erode available memory to the point where named crashes
for lack of resources.   https://nvd.nist.gov/vuln/detail/CVE-2022-38177 HIGH

CVE-2022-38178  By spoofing the target resolver with responses that have a
malformed EdDSA signature, an attacker can trigger a small memory leak. It is
possible to gradually erode available memory to the point where named crashes
for lack of resources.   https://nvd.nist.gov/vuln/detail/CVE-2022-38178 HIGH

CVE-2022-3924   This issue can affect BIND 9 resolvers with
`stale-answer-enable yes;` that also make use of the option
`stale-answer-client-timeout`, configured with a value greater than zero. If
the resolver receives many queries that require recursion, there will be a
corresponding increase in the number of clients that are waiting for recursion
to complete. If there are sufficient clients already waiting when a new client
query is received so that it is necessary to SERVFAIL the longest waiting
client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is
possible for a race to occur between providing a stale answer to this older
client and sending an early timeout SERVFAIL, which may cause an assertion
failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0
through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.     
https://nvd.nist.gov/vuln/detail/CVE-2022-3924  HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено&hellip;
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230416/48375098/attachment-0001.html>