bind-9.16.23-11.el9

エラータID: AXSA:2023-5457:04

リリース日: 
2023/05/22 Monday - 12:41
題名: 
bind-9.16.23-11.el9
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- BIND には、リモートの攻撃者により、細工したクエリを用いた
リゾルバーサーバーのフラッディングを介して、リゾルバーの性能を
大幅に低下させることによるサービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2022-2795)

- BIND には、動的 DNS 更新メッセージ処理時のメモリ領域の確保
処理に起因してメモリ枯渇に至る問題があるため、リモートの攻撃者
により、大量の動的 DNS 更新メッセージの送信を介して、サービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2022-3094)

- BIND には、リモートの攻撃者により、古いキャッシュと応答が有効
化されかつ stale-answer-client-timeout オプションに正の整数が指定
されているサーバーへの RRSIG クエリの送信を介して、クラッシュ
の発生とこれに起因するサービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2022-3736)

- BIND には、stale-answer-enable オプションに yes を設定し、かつ
stale-answer-client-timeout オプションに正の整数を設定した環境に
おいてアサーション処理が失敗する問題があるため、リモートの攻撃者
により、再帰的な照会を必要とするクエリを介して、クラッシュの発生
とこれに起因するサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-3924)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2022-2795
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
CVE-2022-3094
Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.
CVE-2022-3736
BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
CVE-2022-3924
This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. bind-9.16.23-11.el9.src.rpm
    MD5: 93bda365097e488396e9a9b241cbdd29
    SHA-256: 0cf8b1aa06c026c18fe87eda79597f83e3a42aec26e1f349235710a636d29f4f
    Size: 4.97 MB

Asianux Server 9 for x86_64
  1. bind-9.16.23-11.el9.x86_64.rpm
    MD5: 9be289801fe0e6245a6620e330ff09f7
    SHA-256: 07a48f87512099a2a0ccf2ce455bf1e5a2a545fa76825e8eada232ce8dea9954
    Size: 488.16 kB
  2. bind-chroot-9.16.23-11.el9.x86_64.rpm
    MD5: 695eb45854c5b341aec290e5c061cb59
    SHA-256: 6d21c13ce7d7a52c866e18175a342d94edb26da99b7119f77fe930d6d8525a84
    Size: 16.87 kB
  3. bind-devel-9.16.23-11.el9.i686.rpm
    MD5: acd49a171b198a7491f041cd011f951c
    SHA-256: f6a96de6cb373b4e7558701eaed052f2a81150b5e2f261012ad00738564f89c2
    Size: 302.07 kB
  4. bind-devel-9.16.23-11.el9.x86_64.rpm
    MD5: 05522a8de8757700fdd343bf59b4eb45
    SHA-256: f6bf7f30a72c7884f4107da37c53df7d8dc690ce93d3c8598440bc7ed0ebc74e
    Size: 302.07 kB
  5. bind-dnssec-doc-9.16.23-11.el9.noarch.rpm
    MD5: 8893be3edf5e91fb0c5a24b61518a5ef
    SHA-256: e86f00578292217f3a51aa46669e0b88c77c4c0a17a9b0c0f26db718b7c7e1a3
    Size: 45.46 kB
  6. bind-dnssec-utils-9.16.23-11.el9.x86_64.rpm
    MD5: a4252bfed022f4af4fab5773440665a2
    SHA-256: be97c8f57b29ceaaa72f684bf1245a5fea5339742f17c379945293d318cd8c9b
    Size: 113.12 kB
  7. bind-libs-9.16.23-11.el9.i686.rpm
    MD5: 9930e90be2012d1669b2d29a49ef14e4
    SHA-256: f071213a969da57ad10368477a2519e39460dc9689095eefe9718f4bc2a1d366
    Size: 1.33 MB
  8. bind-libs-9.16.23-11.el9.x86_64.rpm
    MD5: 4ac6daf0485f7bbe4e03ab2440686d9d
    SHA-256: 6fa26a373bd2367c575a6b318cd498292f7aaeffee2f9673ce5254bd645837a4
    Size: 1.24 MB
  9. bind-license-9.16.23-11.el9.noarch.rpm
    MD5: a6eb228e514dd8d619b1c217b3869ccc
    SHA-256: 373f47888fb62fa7352f95444719b694ef6f464f7e19ebc7a5abf8b718efca3f
    Size: 12.99 kB
  10. bind-utils-9.16.23-11.el9.x86_64.rpm
    MD5: fd6c32f4f6d67e1459ad944e47957860
    SHA-256: 52fcabedf89f658aeb8e76f435e935ca52aad2728db4753158a683c91584da5a
    Size: 199.38 kB
  11. python3-bind-9.16.23-11.el9.noarch.rpm
    MD5: 30acd30635a7403a0255887629a70583
    SHA-256: 11d414c7266f7fec5565077dab6df6c9a54f92d38838b0248ba71609415786be
    Size: 61.00 kB