bind9.16-9.16.23-0.14.el8

エラータID: AXSA:2023-5856:01

リリース日: 
2023/06/06 Tuesday - 07:16
題名: 
bind9.16-9.16.23-0.14.el8
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- BIND には、リモートの攻撃者により、細工したクエリを用いた
リゾルバーサーバーのフラッディングを介して、リゾルバーの性能
を大幅に低下させることによるサービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2022-2795)

- BIND には、動的 DNS 更新メッセージ処理時のメモリ領域の確保処理
に起因してメモリ枯渇に至る問題があるため、リモートの攻撃者により
、大量の動的 DNS 更新メッセージの送信を介して、サービス拒否攻撃
を可能とする脆弱性が存在します。(CVE-2022-3094)

- BIND には、リモートの攻撃者により、古いキャッシュと応答が有効
化されかつ stale-answer-client-timeout オプションに正の整数が指定
されているサーバーへの RRSIG クエリの送信を介して、クラッシュ
の発生とこれに起因するサービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2022-3736)

- BIND には、stale-answer-enable オプションに yes を設定し、かつ
stale-answer-client-timeout オプションに正の整数を設定した環境に
おいてアサーション処理が失敗する問題があるため、リモートの攻撃者
により、再帰的な照会を必要とするクエリを介して、クラッシュの発生
とこれに起因するサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-3924)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2022-2795
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
CVE-2022-3094
Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.
CVE-2022-3736
BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
CVE-2022-3924
This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. bind9.16-9.16.23-0.14.el8.src.rpm
    MD5: da1d0da9694e48a9a1c1094f76f7540d
    SHA-256: 132817f47c80614e7ed3d9f8cb92c1d47ac3bd041f283a2b9a5cca7f87f2f605
    Size: 5.06 MB

Asianux Server 8 for x86_64
  1. bind9.16-9.16.23-0.14.el8.x86_64.rpm
    MD5: 3d999bd51cb1a4a32952ef476f156e61
    SHA-256: a63a28322c626e32e683564ebee9e3eb3b7e514f3f317643714d5ac426f85663
    Size: 602.47 kB
  2. bind9.16-chroot-9.16.23-0.14.el8.x86_64.rpm
    MD5: 5f244048b0e36af614693d59dfe13ae6
    SHA-256: 3f6c02c2efe30c495b8856a8c8694020a4580861b1b26afe8cfcebe43fa3c47c
    Size: 110.31 kB
  3. bind9.16-devel-9.16.23-0.14.el8.i686.rpm
    MD5: 50e3843b14f070ae1d3a1b457ed1a6ae
    SHA-256: f82243776b400d2b0aa6de311701faaf25d75e9b0f0085dd6baf8d9ac14e9abc
    Size: 425.87 kB
  4. bind9.16-devel-9.16.23-0.14.el8.x86_64.rpm
    MD5: 8cfa3cc72d4231a57d319f0735ac66d8
    SHA-256: 8b87c9bc039e001fd387c9495b7000c3b12e464532568678721709062dca6f66
    Size: 425.82 kB
  5. bind9.16-dnssec-utils-9.16.23-0.14.el8.x86_64.rpm
    MD5: 8d1addcd1aad96b16887232af7795426
    SHA-256: c1a48ba68e2cc36847fa32cbca2863a6a4e9cbc2d0b33befc48f095e211aadc5
    Size: 243.52 kB
  6. bind9.16-doc-9.16.23-0.14.el8.noarch.rpm
    MD5: 5b79ae484f1d57d2b4a02a2316ad6572
    SHA-256: a4017d4567689c2d45f3945c2fc2b2fd04e7871f05188af9e5d618859ed56a27
    Size: 3.67 MB
  7. bind9.16-libs-9.16.23-0.14.el8.i686.rpm
    MD5: 58b75857d69530153f07f20c34155ef9
    SHA-256: 7a881be328e5d6ad8491161dd1de00f3696536658341650453e0d9a6ef9a8d18
    Size: 1.45 MB
  8. bind9.16-libs-9.16.23-0.14.el8.x86_64.rpm
    MD5: bb5d1d1de285c42fde8c9005e0a23b63
    SHA-256: 6ab27d8659e08e7d9f2815924a69ab84c6568086420a343c77c59d15f108a4bb
    Size: 1.36 MB
  9. bind9.16-license-9.16.23-0.14.el8.noarch.rpm
    MD5: 83d9dc84006daafeb5d66632ea92b4c5
    SHA-256: f3c4210dd9aed0151bcc2cf5d906d3530a79452ae54df4cddceca6cf6d0a9f07
    Size: 106.65 kB
  10. bind9.16-utils-9.16.23-0.14.el8.x86_64.rpm
    MD5: 27efe73647e322b15ba9196f5506e884
    SHA-256: b541b6b3e2c7489413369d9833c95d4afea31f636fe5b9a3a47097137eb386aa
    Size: 288.45 kB
  11. python3-bind9.16-9.16.23-0.14.el8.noarch.rpm
    MD5: 18e44f2ac1d9b0b50d1a2f31018aef02
    SHA-256: 8afb4bd1c8d5e1a12d0811d8357d16f784623a273d54c501e75fcad52d115ed9
    Size: 154.93 kB