bind-dyndb-ldap-11.9-8.el9_3.3.ML.1, bind-9.16.23-14.el9_3.4
エラータID: AXSA:2024-7681:01
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix(es):
* bind: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)
* bind: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)
* bind: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)
* bind: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)
* bind: Querying RFC 1918 reverse zones may cause an assertion failure when “nxdomain-redirect” is enabled (CVE-2023-5517)
* bind: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-4408
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
CVE-2023-5517
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-5679
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-6516
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
Update packages.
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
N/A
SRPMS
- bind-dyndb-ldap-11.9-8.el9_3.3.ML.1.src.rpm
MD5: 79767383114374de80b3db74747b2123
SHA-256: c410d8b2b35460c6d2a7f163db3ef2020d4f0fa8633bde90ee9207e17b24b6f7
Size: 361.76 kB - bind-9.16.23-14.el9_3.4.src.rpm
MD5: 031ecfdb04d95d66eb1cc722444c0d2c
SHA-256: 620b7f99694301e0e58010eb15e56436cedc9825a32a28fc73d9da795256fe3c
Size: 5.02 MB
Asianux Server 9 for x86_64
- bind-9.16.23-14.el9_3.4.x86_64.rpm
MD5: b5f1759ef7fdecd6c3a3842db4faaa42
SHA-256: 94a239481f7cb107f61b0f128b56b1f47515b335a2e5c5be3e78ef3e76f1358e
Size: 498.70 kB - bind-chroot-9.16.23-14.el9_3.4.x86_64.rpm
MD5: 0046904e14a6fb233f1e7cd7153a5970
SHA-256: 22bc5594c8094c7c5fb1120a4684e74535d1e25343933e7d2a473ab2457bfc9d
Size: 16.27 kB - bind-devel-9.16.23-14.el9_3.4.i686.rpm
MD5: 34cf14591c332f9fb661f19911fc1a6f
SHA-256: 8eea612ef2545a6ef5992d56235e6e085bf7e66509ceb434d374a6e1ddd6b7d8
Size: 359.27 kB - bind-devel-9.16.23-14.el9_3.4.x86_64.rpm
MD5: 084ba656d59bf919436c64b4ea78435d
SHA-256: 16877cfdda963b888b998ba1a652f8f0c60a708461c80bc7c22a9c5b739bd13c
Size: 359.25 kB - bind-dnssec-doc-9.16.23-14.el9_3.4.noarch.rpm
MD5: d1c0ff3c4b9a5547f5e203fdb22a2746
SHA-256: d1dc9ab90250414a8c6689a403df92a92885f6a99d225b0b936924b7566f3123
Size: 44.85 kB - bind-dnssec-utils-9.16.23-14.el9_3.4.x86_64.rpm
MD5: 69bb52f603143bca92e269d677309b51
SHA-256: 4f5da3f535821a49002a3a39876ae87b064200981803073fbf7cfd08604f497b
Size: 112.33 kB - bind-doc-9.16.23-14.el9_3.4.noarch.rpm
MD5: dc3108b7cac866496ca58c4e0f6b23f4
SHA-256: 0706e05283c0720cfecc0a747e10b6bcab2e323ce9341f44661bb8e47ea5cdd6
Size: 2.08 MB - bind-dyndb-ldap-11.9-8.el9_3.3.ML.1.x86_64.rpm
MD5: cde60ae4de7ce4a7ef946ae48ca9af9d
SHA-256: 7c58e1143bd77a0b5dc319b579dcf73651e47b362c66b1bdb0792ded4d415afa
Size: 103.65 kB - bind-libs-9.16.23-14.el9_3.4.i686.rpm
MD5: a9dd0521a96a589d378244152d3b2155
SHA-256: 7f72ec916894088eabc01aef2e98af0d7413d7a42df141f38c80c0bb9ca8dff9
Size: 1.33 MB - bind-libs-9.16.23-14.el9_3.4.x86_64.rpm
MD5: a4c4335dcbc04702d07fbf982c9fb686
SHA-256: 4ac91b727053dd9b7bdeeb2d6f59f11a2c55119c9643c7586c0b80ce5a76f777
Size: 1.24 MB - bind-license-9.16.23-14.el9_3.4.noarch.rpm
MD5: 58a253561597be08cfc8ac5da8c1fdea
SHA-256: 55261c2ecf218346954b3aecb692620709696825b52b11a9ecb9e921e122f0e1
Size: 12.38 kB - bind-utils-9.16.23-14.el9_3.4.x86_64.rpm
MD5: c5e9ce644c3b60ea0ee51f7486997f79
SHA-256: 7a8cfe9398e0d9045b63dcf44da29e1a99e5eb8e4879463bef11993a938d0f77
Size: 205.23 kB - python3-bind-9.16.23-14.el9_3.4.noarch.rpm
MD5: e0f5a81fe366deeda81bc3f7d1a20074
SHA-256: efb7ac25a02a77ef7cd35a2bca99083f55d6b2878175d5d95bd9393f5be6b3b6
Size: 71.10 kB