bind-dyndb-ldap-11.9-9.el9.ML.1, bind-9.16.23-18.el9.1
エラータID: AXSA:2024-7866:02
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix(es):
* bind: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)
* bind: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)
* bind: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)
* bind: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)
* bind: Querying RFC 1918 reverse zones may cause an assertion failure when “nxdomain-redirect” is enabled (CVE-2023-5517)
* bind: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)
Bug Fix(es):
* bind-dyndb-ldap: rebuilt to adapt ABI changes in bind
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-4408
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
CVE-2023-5517
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-5679
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
CVE-2023-6516
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
Update packages.
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
N/A
SRPMS
- bind-dyndb-ldap-11.9-9.el9.ML.1.src.rpm
MD5: 4c159dadaf51fdfe1a34d4fc7e0d4bf2
SHA-256: db1421a650e7edb51a32dff89581b6d4b827efddefd743aa74e13c9682b743eb
Size: 361.56 kB - bind-9.16.23-18.el9.1.src.rpm
MD5: b83f9ab943d61ad87fd204d0d10a00c4
SHA-256: 4e810bd33f555f6e46462be1f3aee55c9e037b13847dcb107addb802debf5111
Size: 5.00 MB
Asianux Server 9 for x86_64
- bind-9.16.23-18.el9.1.x86_64.rpm
MD5: ee1bdfc574cab5cf691c3e3bc342b611
SHA-256: 6153bc5087ef061ad4579af91a4497a1ca3b88e45702cb60244e40ad4eb7f3a8
Size: 488.76 kB - bind-chroot-9.16.23-18.el9.1.x86_64.rpm
MD5: da158a9e1e39447bd1b2cd96b9c9ab2e
SHA-256: 30d8adb4654cf01534c0d8b0fae30c88ae16eac793ee365f8a19bd919592e812
Size: 16.07 kB - bind-devel-9.16.23-18.el9.1.i686.rpm
MD5: bc5ab827f3510b80fd3e6e2206640f48
SHA-256: c04a68246b4292780e4c260ed22ce671e6e4e7979132faf7153263a00d76027f
Size: 301.37 kB - bind-devel-9.16.23-18.el9.1.x86_64.rpm
MD5: b99878fb0534080d0b12361b416dc4ad
SHA-256: 34d3dbd1a35e224e34316879187e7183a15b45091dad494a2a15826935e1aaef
Size: 301.30 kB - bind-dnssec-doc-9.16.23-18.el9.1.noarch.rpm
MD5: 1875da352662dc61205b018b683048bd
SHA-256: b699ee66b808ebb151b22f7e55584ca19642e4410d59b88d61d5da9c218da11d
Size: 44.67 kB - bind-dnssec-utils-9.16.23-18.el9.1.x86_64.rpm
MD5: 82cc63778f4a14dfa5977a410e2f9fa4
SHA-256: 3686bfd87fe9e702b8acc13aa78d78dc10966cca9a31f7edbaa565d1f8067f89
Size: 113.98 kB - bind-doc-9.16.23-18.el9.1.noarch.rpm
MD5: f34a01fa19bdaae5165e29d819067b2a
SHA-256: 1132e733386ad9de712db35c422dc16d35a68e86ecc03b1a70423d2e9acb8b5d
Size: 2.07 MB - bind-dyndb-ldap-11.9-9.el9.ML.1.x86_64.rpm
MD5: 56878b1fef377f1a742336e7f655fa47
SHA-256: 79841664d29e8326242245f4cad6b685637de523275b9508b349f3f0c337dcda
Size: 103.66 kB - bind-libs-9.16.23-18.el9.1.i686.rpm
MD5: 06e773d490e2182c6c2325bde281094d
SHA-256: 1b0844832d7e9b93c28b0b56f45bd35b8ac7d29a8946fdd5bc3673f76ade7053
Size: 1.33 MB - bind-libs-9.16.23-18.el9.1.x86_64.rpm
MD5: d427167d2c61477764cb7ec9ce3e766d
SHA-256: 2957ce5662af0187736565c1d4013bcb90d09e008efca319a3eee74dc9538a50
Size: 1.24 MB - bind-license-9.16.23-18.el9.1.noarch.rpm
MD5: 2b7d35d2f4d4645e238eca3882540fbe
SHA-256: b7861e5f7bed29076aa1f1c992e9d155a7b556adb459b43e62a35f4da1413296
Size: 12.19 kB - bind-utils-9.16.23-18.el9.1.x86_64.rpm
MD5: 4d93a7c625ec6d54398a4665d2e2aab5
SHA-256: a78b6261a5dcb3b7eaf30f54ebfdc4e853fd0df89b13f6e96d62af8924908b1e
Size: 201.10 kB - python3-bind-9.16.23-18.el9.1.noarch.rpm
MD5: c2569b1b23621d35eef2071fff11bd8f
SHA-256: 5d5893e638702bd635097ebd005f784e1bfcba4cbd83befe041d81c35185e071
Size: 60.21 kB