bind-dyndb-ldap-11.9-9.el9.ML.1, bind-9.16.23-18.el9.1
エラータID: AXSA:2024-7866:02
以下項目について対処しました。
[Security Fix]
- BIND の named には、リモートの攻撃者により、非常に
長くなるように細工されたクエリの送信を介して、サービス
拒否攻撃 (CPU リソースの枯渇) を可能とする脆弱性が存在
します。(CVE-2023-4408)
- BIND の DNSSEC の処理には、多数の DNSKEY および
RRSIG レコードを持つゾーンが存在している場合、リモート
の攻撃者により、細工された DNSSEC 応答の受信を介して、
サービス拒否攻撃 (CPU リソースの枯渇) を可能とする脆弱性
が存在します。(CVE-2023-50387)
- BIND の最近接名の解決機能には、リモートの攻撃者に
より、DNSSEC 署名ゾーンの NSEC3 レコードを含む応答
を DNSSEC リゾルバーに引き渡すことを介して、サービス
拒否攻撃 (CPU リソースの枯渇) を可能とする脆弱性が存在
します。(CVE-2023-50868)
- BIND の named には、nxdomain-redirect が設定されて
いる場合、アサーションに失敗してしまう問題があるため、
リモートの攻撃者により、RFC1918 の逆引きに使用される
PTR レコードを照会するためのクエリの送信を介して、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-5517)
- BIND の named には、DNS64 設定と serve-stale 設定間
の競合に起因してアサーションに失敗してしまう問題が
あるため、リモートの攻撃者により、サービス拒否攻撃
(クラッシュの発生) を可能とする脆弱性が存在します。
(CVE-2023-5679)
- BIND の named には、キャッシュデータベースのクリーン
アップ処理が適切に実行されない問題があるため、リモート
の攻撃者により、細工されたクエリの連続した発行を介して、
サービス拒否攻撃 (メモリ枯渇) を可能とする脆弱性が存在
します。(CVE-2023-6516)
パッケージをアップデートしてください。
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
N/A
SRPMS
- bind-dyndb-ldap-11.9-9.el9.ML.1.src.rpm
MD5: 4c159dadaf51fdfe1a34d4fc7e0d4bf2
SHA-256: db1421a650e7edb51a32dff89581b6d4b827efddefd743aa74e13c9682b743eb
Size: 361.56 kB - bind-9.16.23-18.el9.1.src.rpm
MD5: b83f9ab943d61ad87fd204d0d10a00c4
SHA-256: 4e810bd33f555f6e46462be1f3aee55c9e037b13847dcb107addb802debf5111
Size: 5.00 MB
Asianux Server 9 for x86_64
- bind-9.16.23-18.el9.1.x86_64.rpm
MD5: ee1bdfc574cab5cf691c3e3bc342b611
SHA-256: 6153bc5087ef061ad4579af91a4497a1ca3b88e45702cb60244e40ad4eb7f3a8
Size: 488.76 kB - bind-chroot-9.16.23-18.el9.1.x86_64.rpm
MD5: da158a9e1e39447bd1b2cd96b9c9ab2e
SHA-256: 30d8adb4654cf01534c0d8b0fae30c88ae16eac793ee365f8a19bd919592e812
Size: 16.07 kB - bind-devel-9.16.23-18.el9.1.i686.rpm
MD5: bc5ab827f3510b80fd3e6e2206640f48
SHA-256: c04a68246b4292780e4c260ed22ce671e6e4e7979132faf7153263a00d76027f
Size: 301.37 kB - bind-devel-9.16.23-18.el9.1.x86_64.rpm
MD5: b99878fb0534080d0b12361b416dc4ad
SHA-256: 34d3dbd1a35e224e34316879187e7183a15b45091dad494a2a15826935e1aaef
Size: 301.30 kB - bind-dnssec-doc-9.16.23-18.el9.1.noarch.rpm
MD5: 1875da352662dc61205b018b683048bd
SHA-256: b699ee66b808ebb151b22f7e55584ca19642e4410d59b88d61d5da9c218da11d
Size: 44.67 kB - bind-dnssec-utils-9.16.23-18.el9.1.x86_64.rpm
MD5: 82cc63778f4a14dfa5977a410e2f9fa4
SHA-256: 3686bfd87fe9e702b8acc13aa78d78dc10966cca9a31f7edbaa565d1f8067f89
Size: 113.98 kB - bind-doc-9.16.23-18.el9.1.noarch.rpm
MD5: f34a01fa19bdaae5165e29d819067b2a
SHA-256: 1132e733386ad9de712db35c422dc16d35a68e86ecc03b1a70423d2e9acb8b5d
Size: 2.07 MB - bind-dyndb-ldap-11.9-9.el9.ML.1.x86_64.rpm
MD5: 56878b1fef377f1a742336e7f655fa47
SHA-256: 79841664d29e8326242245f4cad6b685637de523275b9508b349f3f0c337dcda
Size: 103.66 kB - bind-libs-9.16.23-18.el9.1.i686.rpm
MD5: 06e773d490e2182c6c2325bde281094d
SHA-256: 1b0844832d7e9b93c28b0b56f45bd35b8ac7d29a8946fdd5bc3673f76ade7053
Size: 1.33 MB - bind-libs-9.16.23-18.el9.1.x86_64.rpm
MD5: d427167d2c61477764cb7ec9ce3e766d
SHA-256: 2957ce5662af0187736565c1d4013bcb90d09e008efca319a3eee74dc9538a50
Size: 1.24 MB - bind-license-9.16.23-18.el9.1.noarch.rpm
MD5: 2b7d35d2f4d4645e238eca3882540fbe
SHA-256: b7861e5f7bed29076aa1f1c992e9d155a7b556adb459b43e62a35f4da1413296
Size: 12.19 kB - bind-utils-9.16.23-18.el9.1.x86_64.rpm
MD5: 4d93a7c625ec6d54398a4665d2e2aab5
SHA-256: a78b6261a5dcb3b7eaf30f54ebfdc4e853fd0df89b13f6e96d62af8924908b1e
Size: 201.10 kB - python3-bind-9.16.23-18.el9.1.noarch.rpm
MD5: c2569b1b23621d35eef2071fff11bd8f
SHA-256: 5d5893e638702bd635097ebd005f784e1bfcba4cbd83befe041d81c35185e071
Size: 60.21 kB