[Bugs] [Bug 13497] New: [CVE 21] bind 9.16.24 CVEs found
bugzilla
bugzilla на rosalinux.ru
Ср Авг 23 23:17:54 MSK 2023
https://bugzilla.rosalinux.ru/show_bug.cgi?id=13497
Platform: 2021.1
Bug ID: 13497
Summary: [CVE 21] bind 9.16.24 CVEs found
Classification: ROSA-based products
Product: ROSA Fresh
Version: All
Hardware: All
URL: CVE-2019-6470, CVE-2019-6471, CVE-2019-6475,
CVE-2019-6476, CVE-2019-6477, CVE-2022-0396,
CVE-2022-3080, CVE-2022-3094, CVE-2022-3736,
CVE-2022-3924, CVE-2023-2828, CVE-2023-2829,
OS: Linux
Status: CONFIRMED
Severity: normal
Priority: Normal
Component: System (kernel, glibc, systemd, bash, PAM...)
Assignee: bugs на lists.rosalinux.ru
Reporter: y.tumanov на rosalinux.ru
QA Contact: bugs на lists.rosalinux.ru
CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
y.tumanov на rosalinux.ru
Target Milestone: ---
Flags: secteam_verified?
Please patch CVEs for package bind version 9.16.24
INFO (CVEs are): bind 9.16.24
cves found
CVE-2019-6470
Desc: There had existed in one of the ISC BIND libraries a bug in a function
that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in
dhcpd relating to the use of this function per its documentation, but the bug
in the library function prevented this from causing any harm. All releases of
dhcpd from ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known to not
present issues like this. Some third-party packagers of ISC software have
modified the dhcpd source, BIND source, or version matchup in ways that create
the crash potential. Based on reports available to ISC, the crash probability
is large and no analysis has been done on how, or even if, the probability can
be manipulated by an attacker. Affects: Builds of dhcpd versions prior to
version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with
specific bug fixes backported to them. ISC does not have access to
comprehensive version lists for all repackagings of dhcpd that are vulnerable.
In particular, builds from other vendors may also be affected. Operators are
advised to consult their vendor documentation.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6470
Severity: HIGH
CVE-2019-6471
Desc: A race condition which may occur when discarding malformed packets can
result in BIND exiting due to a REQUIRE assertion failure in dispatch.c.
Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 ->
9.14.2. Also all releases of the BIND 9.13 development branch and version
9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition
versions 9.11.3-S1 -> 9.11.7-S1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6471
Severity: MEDIUM
CVE-2019-6475
Desc: Mirror zones are a BIND feature allowing recursive servers to pre-cache
zone data provided by other servers. A mirror zone is similar to a zone of type
secondary, except that its data is subject to DNSSEC validation before being
used in answers, as if it had been looked up via traditional recursion, and
when mirror zone data cannot be validated, BIND falls back to using traditional
recursion instead of the mirror zone. However, an error in the validity checks
for the incoming zone data can allow an on-path attacker to replace zone data
that was validated with a configured trust anchor with forged data of the
attacker's choosing. The mirror zone feature is most often used to serve a
local copy of the root zone. If an attacker was able to insert themselves into
the network path between a recursive server using a mirror zone and a root name
server, this vulnerability could then be used to cause the recursive server to
accept a copy of falsified root zone data. This affects BIND versions 9.14.0 up
to 9.14.6, and 9.15.0 up to 9.15.4.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6475
Severity: HIGH
CVE-2019-6476
Desc: A defect in code added to support QNAME minimization can cause named to
exit with an assertion failure if a forwarder returns a referral rather than
resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0
up to 9.15.4.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6476
Severity: HIGH
CVE-2019-6477
Desc: With pipelining enabled each incoming query on a TCP connection requires
a similar resource allocation to a query received via UDP or via TCP without
pipelining enabled. A client using a TCP-pipelined connection to a server could
consume more resources than the server has been provisioned to handle. When a
TCP connection with a large number of pipelined queries is closed, the load on
the server releasing these multiple resources can cause it to become
unresponsive, even for queries that can be answered authoritatively or from
cache. (This is most likely to be perceived as an intermittent server problem).
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6477
Severity: HIGH
CVE-2022-0396
Desc: BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 ->
9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP
streams can cause connections to BIND to remain in CLOSE_WAIT status for an
indefinite period of time, even after the client has terminated the connection.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-0396
Severity: MEDIUM
CVE-2022-3080
Desc: By sending specific queries to the resolver, an attacker can cause named
to crash.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3080
Severity: HIGH
CVE-2022-3094
Desc: Sending a flood of dynamic DNS updates may cause `named` to allocate
large amounts of memory. This, in turn, may cause `named` to exit due to a lack
of free memory. We are not aware of any cases where this has been exploited.
Memory is allocated prior to the checking of access permissions (ACLs) and is
retained during the processing of a dynamic update from a client whose access
credentials are accepted. Memory allocated to clients that are not permitted to
send updates is released immediately upon rejection. The scope of this
vulnerability is limited therefore to trusted clients who are permitted to make
dynamic zone changes. If a dynamic update is REFUSED, memory will be released
again very quickly. Therefore it is only likely to be possible to degrade or
stop `named` by sending a flood of unaccepted dynamic updates comparable in
magnitude to a query flood intended to achieve the same detrimental outcome.
BIND 9.11 and earlier branches are also affected, but through exhaustion of
internal resources rather than memory constraints. This may reduce performance
but should not be a significant problem for most servers. Therefore we don't
intend to address this for BIND versions prior to BIND 9.16. This issue affects
BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through
9.19.8, and 9.16.8-S1 through 9.16.36-S1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3094
Severity: HIGH
CVE-2022-3736
Desc: BIND 9 resolver can crash when stale cache and stale answers are enabled,
option `stale-answer-client-timeout` is set to a positive integer, and the
resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12
through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1
through 9.16.36-S1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3736
Severity: HIGH
CVE-2022-3924
Desc: This issue can affect BIND 9 resolvers with `stale-answer-enable yes;`
that also make use of the option `stale-answer-client-timeout`, configured with
a value greater than zero. If the resolver receives many queries that require
recursion, there will be a corresponding increase in the number of clients that
are waiting for recursion to complete. If there are sufficient clients already
waiting when a new client query is received so that it is necessary to SERVFAIL
the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft
quota), then it is possible for a race to occur between providing a stale
answer to this older client and sending an early timeout SERVFAIL, which may
cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through
9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through
9.16.36-S1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3924
Severity: HIGH
CVE-2023-2828
Desc: Every `named` instance configured to run as a recursive resolver
maintains a cache database holding the responses to the queries it has recently
sent to authoritative servers. The size limit for that cache database can be
configured using the `max-cache-size` statement in the configuration file; it
defaults to 90% of the total amount of memory available on the host. When the
size of the cache reaches 7/8 of the configured limit, a cache-cleaning
algorithm starts to remove expired and/or least-recently used RRsets from the
cache, to keep memory use below the configured limit.
It has been discovered that the effectiveness of the cache-cleaning algorithm
used in `named` can be severely diminished by querying the resolver for
specific RRsets in a certain order, effectively allowing the configured
`max-cache-size` limit to be significantly exceeded.
This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through
9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1
through 9.18.15-S1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2828
Severity: HIGH
CVE-2023-2829
Desc: A `named` instance configured to run as a DNSSEC-validating recursive
resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option
(`synth-from-dnssec`) enabled can be remotely terminated using a zone with a
malformed NSEC record.
This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1
through 9.18.15-S1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2829
Severity: HIGH
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/cfac6a8a/attachment-0001.html>
Подробная информация о списке рассылки Bugs