| Summary: | bind new security issues CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-3817[78] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | bind-9.11.37-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-09-21 17:43:41 CEST
The issues are fixed upstream in 9.18.7: https://downloads.isc.org/isc/bind9/9.18.7/doc/arm/html/notes.html#id22 Status comment:
(none) =>
Fixed upstream in 9.18.7 Patches for 9.16.x (which may help for 9.11.x) are here: https://downloads.isc.org/isc/bind9/9.16.33/patches/ bind-9.18.7-1.mga9 uploaded for Cauldron. Ubuntu has issued an advisory for this today (September 21): https://ubuntu.com/security/notices/USN-5626-1 They have patches for 9.11.x in Ubuntu 18.04. Whiteboard:
MGA8TOO =>
(none) Debian-LTS has issued an advisory for three of these issues on October 5: https://www.debian.org/lts/security/2022/dla-3138 Suggested advisory: ======================== The updated packages fix security vulnerabilities: By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. (CVE-2022-2795) By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. (CVE-2022-38177, CVE-2022-38178) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38177 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38178 https://kb.isc.org/docs/cve-2022-2795 https://kb.isc.org/docs/cve-2022-38177 https://kb.isc.org/docs/cve-2022-38178 https://ubuntu.com/security/notices/USN-5626-1 https://www.debian.org/lts/security/2022/dla-3138 ======================== Updated packages in core/updates_testing: ======================== bind-9.11.37-1.1.mga8 bind-chroot-9.11.37-1.1.mga8 bind-devel-9.11.37-1.1.mga8 bind-dnssec-utils-9.11.37-1.1.mga8 bind-pkcs11-9.11.37-1.1.mga8 bind-pkcs11-devel-9.11.37-1.1.mga8 bind-pkcs11-utils-9.11.37-1.1.mga8 bind-sdb-9.11.37-1.1.mga8 bind-sdb-chroot-9.11.37-1.1.mga8 bind-utils-9.11.37-1.1.mga8 lib64bind9_161-9.11.37-1.1.mga8 lib64dns1115-9.11.37-1.1.mga8 lib64dns_pkcs11_1115-9.11.37-1.1.mga8 lib64irs161-9.11.37-1.1.mga8 lib64isc1107-9.11.37-1.1.mga8 lib64isc_pkcs11_1107-9.11.37-1.1.mga8 lib64isccc161-9.11.37-1.1.mga8 lib64isccfg163-9.11.37-1.1.mga8 lib64lwres161-9.11.37-1.1.mga8 python3-bind-9.11.37-1.1.mga8 from SRPM: bind-9.11.37-1.1.mga8.src.rpm CC:
(none) =>
nicolas.salguero No regressions in bind noticed on two systems. Validating. Advisory committed to svn. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0388.html Resolution:
(none) =>
FIXED |