bind-9.11.20-5.el8
エラータID: AXSA:2021-1277:01
リリース日:
2021/01/21 Thursday - 04:11
題名:
bind-9.11.20-5.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- BIND には、ゾーンのコンテンツを変更できる潜在的な攻撃者が、
アスタリスク ("*") を含む empty non-terminal entry のレコードを追加することにより、
サービス拒否を引き起こせる脆弱性があります。(CVE-2020-8619)
- BIND には、TSIG署名されたリクエストのパス上、あるいはその処理サーバー上の
攻撃者が、そのリクエストに対応する切り詰められたレスポンスを送ることにより、
サービス拒否(アサーションの失敗とサーバーの終了)を引き起こすことのできる
脆弱性があります。リクエストのパス外の攻撃者も、他のパケットやメッセージから
TSIG署名されたリクエストを推測できるとき、サーバーを終了させることが
可能です。(CVE-2020-8622)
- BIND には、攻撃者が巧妙に細工されたクエリー・パケットを介して脆弱な
システムに到達可能な問題があり、クラッシュを引き起こすことの可能な
脆弱性があります。(CVE-2020-8623)
- BIND には、ゾーンの特定のサブセットを変更するために権限を付与された攻撃者が、
意図されていない追加の権限を乱用し、他のゾーンの内容を変更する可能性のある
脆弱性があります。(CVE-2020-8624)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-8619
In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.
In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.
CVE-2020-8622
In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
CVE-2020-8623
In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with "--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker
In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with "--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker
CVE-2020-8624
In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone.
In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone.
追加情報:
N/A
ダウンロード:
SRPMS
- bind-9.11.20-5.el8.src.rpm
MD5: 6372482ada378c5218da2dd99a09655d
SHA-256: 62066560debef150e355a4a08bb11e4967b603102df6f35f4d1bfbedab5105af
Size: 8.07 MB
Asianux Server 8 for x86_64
- bind-9.11.20-5.el8.x86_64.rpm
MD5: 20954ab593b2cbead55960786016ea34
SHA-256: d068b7f6f07602e667999a990f1e2fbaacc11243bcab9e9c1c9d7876fd6af3ed
Size: 2.09 MB - bind-chroot-9.11.20-5.el8.x86_64.rpm
MD5: 94267bff6bf21fcc5fd6bb77fb5e802c
SHA-256: 32aa4cbde8ba3486a01b751415ce308e066602eb854500dc6f855338da4955ae
Size: 102.03 kB - bind-devel-9.11.20-5.el8.x86_64.rpm
MD5: c28dcf607e09204fa274877d6596a441
SHA-256: 7e3de441fb61b786af2a6cc60e9277964d54fe0718bf313cd5aec3d9dac6b3cc
Size: 175.06 kB - bind-export-devel-9.11.20-5.el8.x86_64.rpm
MD5: 512803192f9bd2fe8f0c702ed2a176fc
SHA-256: 4cfba53268544c60ed15dac35634a5c19c424dbb2125d80720051775832b380e
Size: 403.55 kB - bind-export-libs-9.11.20-5.el8.x86_64.rpm
MD5: d35c462c965a2037a291f625b348336c
SHA-256: 566b18024883c6a7f31197e0cc55c649887a28b1bc1f2229af726b014bc22cc9
Size: 1.13 MB - bind-libs-9.11.20-5.el8.x86_64.rpm
MD5: 37a3944c0f1071b9cc0bebecc03402ad
SHA-256: 928187725ae6824210c3436ed509acb45f99bad3ac9c567cababdc2b23ed4785
Size: 171.21 kB - bind-libs-lite-9.11.20-5.el8.x86_64.rpm
MD5: ddf51adc7a52c31a1ba285b62c23fdf8
SHA-256: 1d3c9b903a05b9ed73e915f7682aeb4b38a6c990106f2d328afe2aff5c9093fa
Size: 1.17 MB - bind-license-9.11.20-5.el8.noarch.rpm
MD5: 3793316a51160aa57c376eb5dc033624
SHA-256: 954e4597d52b248a94fee4a454bb2cc44242265463744931d8864a66d5180a28
Size: 100.32 kB - bind-lite-devel-9.11.20-5.el8.x86_64.rpm
MD5: e5b87162cb6dd5f0104cac5346680e56
SHA-256: 4d59f17c5ec82213b9af20eaf35812ab7a61957c3dff5b97ef480bacea277f32
Size: 396.68 kB - bind-pkcs11-9.11.20-5.el8.x86_64.rpm
MD5: 6c55e7bebce2b21465e6434741b9a7df
SHA-256: 15597393bd43854d59da48ce7bd12643d3d4b42020de4fdd4ce37b633a201e04
Size: 388.86 kB - bind-pkcs11-devel-9.11.20-5.el8.x86_64.rpm
MD5: 6b73873e3e2ff7a95c53d0d638c6d383
SHA-256: c6e6d107894b5f15c87940909b47229e23151a8fd72fabf335fb6b5ff8b89247
Size: 112.52 kB - bind-pkcs11-libs-9.11.20-5.el8.x86_64.rpm
MD5: 52b8ff54d3a84881e6aacf8fafe230c1
SHA-256: 35563c0b53813979de7abd30decc7d2aa3642f7f9e59fb0a503bb260a8cd1ccf
Size: 1.11 MB - bind-pkcs11-utils-9.11.20-5.el8.x86_64.rpm
MD5: 7a36410d24c703129db7a4ec3e0bf1fe
SHA-256: e622c4e08dd7efd6eb372d572158439c4bbd30d61ab563f775bf7772dc1bd299
Size: 257.60 kB - bind-sdb-9.11.20-5.el8.x86_64.rpm
MD5: e67ddb0feadee57e393e55ea373f96b7
SHA-256: 2a552612f468aab0748069da6a2f87e8878f6987b59fcfedd27c014bdd4d73b7
Size: 449.16 kB - bind-sdb-chroot-9.11.20-5.el8.x86_64.rpm
MD5: 163371f6cd1df14fccd7bb5a0018a6a4
SHA-256: f12b3a9a776530100c03ed8814abf8657c6126afb674f0e6f5cc12fcc93a428d
Size: 102.04 kB - bind-utils-9.11.20-5.el8.x86_64.rpm
MD5: aa4d860e8a57f78e97fcbfdafd3f1309
SHA-256: 6fe82f00b43f6efe4934698d4f89b56758daa3e348dcbf087e676db5addcd9bc
Size: 443.10 kB - python3-bind-9.11.20-5.el8.noarch.rpm
MD5: f489ce9a3ad1b166c98b4ad07486ecf3
SHA-256: 20ef415da352a2dee4ce5ad7e095e246d56b3233d16fa189d06490736c434d50
Size: 147.59 kB