bind-9.8.2-0.68.7.0.1.rc1.AXS4

エラータID: AXSA:2020-134:05

Release date: 
Thursday, June 11, 2020 - 11:52
Subject: 
bind-9.8.2-0.68.7.0.1.rc1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: BIND does not sufficiently limit the number of fetches performed when processing referrals (CVE-2020-8616)

* bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c (CVE-2020-8617)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-8616
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
CVE-2020-8617
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

Solution: 

Update packages.

CVEs: 
CVE-2020-8616
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
CVE-2020-8617
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.
Additional Info: 

N/A

Download: 

SRPMS
  1. bind-9.8.2-0.68.7.0.1.rc1.AXS4.src.rpm
    MD5: 5438e94ec8829fd38024d224d6a9dc2e
    SHA-256: a7fa1547e3c427f1ee838134345109ab3fb4961cb2b7e4ca2b199cb0f0d6fc97
    Size: 8.49 MB

Asianux Server 4 for x86
  1. bind-9.8.2-0.68.7.0.1.rc1.AXS4.i686.rpm
    MD5: 8ff3e5cae6ef9790a5cfcf2122d9211e
    SHA-256: 444ceb51e84b68e419ef1d96212a4c9121e34ae45aaa65044f3bd50a5316366c
    Size: 4.00 MB
  2. bind-chroot-9.8.2-0.68.7.0.1.rc1.AXS4.i686.rpm
    MD5: 4e4c08fefb8ef7a12fc120fcd86f06ce
    SHA-256: 5db9a1f1bd45ec1b359ec5978c7bde2a4bc68d60b0c30886fb07938c7b024c4b
    Size: 78.05 kB
  3. bind-libs-9.8.2-0.68.7.0.1.rc1.AXS4.i686.rpm
    MD5: afff9d281dbd26b965bde04e2cc2e09b
    SHA-256: eb85e77a237bfee481fb930da0cd4ce79abb757778dd6cb3ca229a1bec1e05d9
    Size: 903.06 kB
  4. bind-utils-9.8.2-0.68.7.0.1.rc1.AXS4.i686.rpm
    MD5: 0350ec555e14d03b66289c2fde23c40e
    SHA-256: d0c99a8bee347b542a16fb014271daece58c022ad78906a82918421f44a49a55
    Size: 188.39 kB

Asianux Server 4 for x86_64
  1. bind-9.8.2-0.68.7.0.1.rc1.AXS4.x86_64.rpm
    MD5: ba74448dd2da06c1dd02c10caffbdfc7
    SHA-256: 09c45b3779673ca19bb1a501a6e972bdc4df1f69f60998b05aaaf710d8990fe3
    Size: 4.00 MB
  2. bind-chroot-9.8.2-0.68.7.0.1.rc1.AXS4.x86_64.rpm
    MD5: 444e51ef9c328b13defc1cdbf4811b46
    SHA-256: 4882a89e6ea31cd78846ac3ea1c7d6873092ac51d9f24c836e5c63b78bd606a2
    Size: 77.61 kB
  3. bind-libs-9.8.2-0.68.7.0.1.rc1.AXS4.x86_64.rpm
    MD5: fb79132c8f0258973b7fe82fe76bf6c3
    SHA-256: 084e4f6e41227a19c6bda1f7854b72232925f3465e6cf7cf3ed1c15db98b2205
    Size: 892.21 kB
  4. bind-utils-9.8.2-0.68.7.0.1.rc1.AXS4.x86_64.rpm
    MD5: e88a24113b0ff47455ba7593d3608799
    SHA-256: 1b8445c1fe1df619b1b1f18ab6a8d4c35300015f7462457a9b07f37177818b4a
    Size: 186.64 kB
  5. bind-libs-9.8.2-0.68.7.0.1.rc1.AXS4.i686.rpm
    MD5: afff9d281dbd26b965bde04e2cc2e09b
    SHA-256: eb85e77a237bfee481fb930da0cd4ce79abb757778dd6cb3ca229a1bec1e05d9
    Size: 903.06 kB