bind9.16-9.16.23-0.16.el8_9.2.ML.1

エラータID: AXSA:2024-7685:01

Release date: 
Monday, April 15, 2024 - 16:10
Subject: 
bind9.16-9.16.23-0.16.el8_9.2.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Security Fix(es):

* bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)
* bind9: Querying RFC 1918 reverse zones may cause an assertion failure when “nxdomain-redirect” is enabled (CVE-2023-5517)
* bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)
* bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)
* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)
* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-4408
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
CVE-2023-5517
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-5679
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-6516
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.

Solution: 

Update packages.

CVEs: 
CVE-2023-4408
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
CVE-2023-5517
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-5679
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-6516
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
Additional Info: 

N/A

Download: 

SRPMS
  1. bind9.16-9.16.23-0.16.el8_9.2.ML.1.src.rpm
    MD5: e486f073de7ce165ffde046f787187e0
    SHA-256: 28c1cd0800ae4e2245d7822f9618da6853134fd668409a11f2ec6a881844dcd5
    Size: 5.09 MB

Asianux Server 8 for x86_64
  1. bind9.16-9.16.23-0.16.el8_9.2.ML.1.x86_64.rpm
    MD5: 47f2242c71ff0e19aa5321611aa7d87e
    SHA-256: 4bf742939664100a6242d39cdbb78e68207dd177fae3c9ed1aa2be784571bae1
    Size: 603.45 kB
  2. bind9.16-chroot-9.16.23-0.16.el8_9.2.ML.1.x86_64.rpm
    MD5: d90b5817dfe3f2aa5e555e2355608b9a
    SHA-256: d5436b9b7e5ee9279e3eb1ce5b9ef3a939ae26f26513b4c4d001e615b9a82b67
    Size: 111.32 kB
  3. bind9.16-devel-9.16.23-0.16.el8_9.2.ML.1.i686.rpm
    MD5: 59b32ff7ebe2f484e686bcb4256483c8
    SHA-256: f71e4abb7b52a8d4ad07b1c0c18068e074800b9c7676bc043bc75c3b375a7bca
    Size: 426.99 kB
  4. bind9.16-devel-9.16.23-0.16.el8_9.2.ML.1.x86_64.rpm
    MD5: 4b3f27a12bdd20772f0f0a6a28f99e90
    SHA-256: dbab3306fae928e496411df06f618c216c2271170d445210749028a9180e6637
    Size: 426.95 kB
  5. bind9.16-dnssec-utils-9.16.23-0.16.el8_9.2.ML.1.x86_64.rpm
    MD5: 203a62e7b30ee5c567a3afa0c4aab4cb
    SHA-256: 11a1a4652d402af82038fc83353d09ca18bac1309b771bc8d9652a15ffa5f892
    Size: 244.58 kB
  6. bind9.16-doc-9.16.23-0.16.el8_9.2.ML.1.noarch.rpm
    MD5: 26be1d076ddce25bcac88596ee3e71bb
    SHA-256: d3b285c8062ca8505caf96318fbf24df6ace45d7af808f68b4a285ec74e6ea93
    Size: 3.67 MB
  7. bind9.16-libs-9.16.23-0.16.el8_9.2.ML.1.i686.rpm
    MD5: 2be07a77363569233e2c258caa2df292
    SHA-256: 6768b782824adfab7460b8dd0dbe7fa53a1166e346ccc68f0dfe2464b1f04386
    Size: 1.45 MB
  8. bind9.16-libs-9.16.23-0.16.el8_9.2.ML.1.x86_64.rpm
    MD5: 9c8009e0476bce00b926f7b464cbf250
    SHA-256: f646bb425119e7c19b14e99b9938755445678d66922555e44662bfb4c5984e51
    Size: 1.36 MB
  9. bind9.16-license-9.16.23-0.16.el8_9.2.ML.1.noarch.rpm
    MD5: 6c7a5fc1502fc843ea066999b4312f88
    SHA-256: 44cc7fa55a146b111a900208cff17acd58d3f7e720850e35c6513c612a771ed7
    Size: 107.63 kB
  10. bind9.16-utils-9.16.23-0.16.el8_9.2.ML.1.x86_64.rpm
    MD5: c65894b0753d4422cc23807727c57894
    SHA-256: f4d25612653cec8e4f8a0cf171e29c76a4cb1eb7a0c943517a1bf17121d887ed
    Size: 289.65 kB
  11. python3-bind9.16-9.16.23-0.16.el8_9.2.ML.1.noarch.rpm
    MD5: 6c73a44806c906a8eea9dcf2be0af79b
    SHA-256: b5a3593ef7e39a712cb9b0d90617843a4d1a73dc33f941a7cbe24ef4e446e0a3
    Size: 155.93 kB