エラータID: AXSA:2023-5856:01

Release date: 
Tuesday, June 6, 2023 - 07:16
Affected Channels: 
Asianux Server 8 for x86_64

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: processing large delegations may severely degrade resolver performance (CVE-2022-2795)
* bind: flooding with UPDATE requests may lead to DoS (CVE-2022-3094)
* bind: sending specific queries to the resolver may cause a DoS (CVE-2022-3736)
* bind: sending specific queries to the resolver may cause a DoS (CVE-2022-3924)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.
BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.


Update packages.

Additional Info: 



  1. bind9.16-9.16.23-0.14.el8.src.rpm
    MD5: da1d0da9694e48a9a1c1094f76f7540d
    SHA-256: 132817f47c80614e7ed3d9f8cb92c1d47ac3bd041f283a2b9a5cca7f87f2f605
    Size: 5.06 MB

Asianux Server 8 for x86_64
  1. bind9.16-9.16.23-0.14.el8.x86_64.rpm
    MD5: 3d999bd51cb1a4a32952ef476f156e61
    SHA-256: a63a28322c626e32e683564ebee9e3eb3b7e514f3f317643714d5ac426f85663
    Size: 602.47 kB
  2. bind9.16-chroot-9.16.23-0.14.el8.x86_64.rpm
    MD5: 5f244048b0e36af614693d59dfe13ae6
    SHA-256: 3f6c02c2efe30c495b8856a8c8694020a4580861b1b26afe8cfcebe43fa3c47c
    Size: 110.31 kB
  3. bind9.16-devel-9.16.23-0.14.el8.i686.rpm
    MD5: 50e3843b14f070ae1d3a1b457ed1a6ae
    SHA-256: f82243776b400d2b0aa6de311701faaf25d75e9b0f0085dd6baf8d9ac14e9abc
    Size: 425.87 kB
  4. bind9.16-devel-9.16.23-0.14.el8.x86_64.rpm
    MD5: 8cfa3cc72d4231a57d319f0735ac66d8
    SHA-256: 8b87c9bc039e001fd387c9495b7000c3b12e464532568678721709062dca6f66
    Size: 425.82 kB
  5. bind9.16-dnssec-utils-9.16.23-0.14.el8.x86_64.rpm
    MD5: 8d1addcd1aad96b16887232af7795426
    SHA-256: c1a48ba68e2cc36847fa32cbca2863a6a4e9cbc2d0b33befc48f095e211aadc5
    Size: 243.52 kB
  6. bind9.16-doc-9.16.23-0.14.el8.noarch.rpm
    MD5: 5b79ae484f1d57d2b4a02a2316ad6572
    SHA-256: a4017d4567689c2d45f3945c2fc2b2fd04e7871f05188af9e5d618859ed56a27
    Size: 3.67 MB
  7. bind9.16-libs-9.16.23-0.14.el8.i686.rpm
    MD5: 58b75857d69530153f07f20c34155ef9
    SHA-256: 7a881be328e5d6ad8491161dd1de00f3696536658341650453e0d9a6ef9a8d18
    Size: 1.45 MB
  8. bind9.16-libs-9.16.23-0.14.el8.x86_64.rpm
    MD5: bb5d1d1de285c42fde8c9005e0a23b63
    SHA-256: 6ab27d8659e08e7d9f2815924a69ab84c6568086420a343c77c59d15f108a4bb
    Size: 1.36 MB
  9. bind9.16-license-9.16.23-0.14.el8.noarch.rpm
    MD5: 83d9dc84006daafeb5d66632ea92b4c5
    SHA-256: f3c4210dd9aed0151bcc2cf5d906d3530a79452ae54df4cddceca6cf6d0a9f07
    Size: 106.65 kB
  10. bind9.16-utils-9.16.23-0.14.el8.x86_64.rpm
    MD5: 27efe73647e322b15ba9196f5506e884
    SHA-256: b541b6b3e2c7489413369d9833c95d4afea31f636fe5b9a3a47097137eb386aa
    Size: 288.45 kB
  11. python3-bind9.16-9.16.23-0.14.el8.noarch.rpm
    MD5: 18e44f2ac1d9b0b50d1a2f31018aef02
    SHA-256: 8afb4bd1c8d5e1a12d0811d8357d16f784623a273d54c501e75fcad52d115ed9
    Size: 154.93 kB