Bug 32846

Summary:	bind new security issues CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-50387, CVE-2023-50868
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	davidwhodgins, jim, marja11, sysadmin-bugs, tarazed25
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://kb.isc.org/docs/cve-2023-4408 https://kb.isc.org/docs/cve-2023-5517 https://kb.isc.org/docs/cve-2023-5679 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#notes-for-bind-9-18-24
Whiteboard:	MGA9-64-OK
Source RPM:	bind-9.18.15-2.2.mga9.src.rpm	CVE:	CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-50387, CVE-2023-50868
Status comment:

Description Nicolas Salguero 2024-02-14 09:45:23 CET

ISC has issued advisories on February 13:
https://kb.isc.org/docs/cve-2023-4408
https://kb.isc.org/docs/cve-2023-5517
https://kb.isc.org/docs/cve-2023-5679
https://kb.isc.org/docs/cve-2023-6516
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868

The issues are fixed upstream in 9.18.24:
https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#notes-for-bind-9-18-24

Patches are here:
https://downloads.isc.org/isc/bind9/9.18.24/patches/

Mageia 9 is also affected.

Nicolas Salguero 2024-02-14 09:46:14 CET

CVE: (none) => CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868
Status comment: (none) => Patches available from upstream and fixed upstream in 9.18.24
Source RPM: (none) => bind-9.18.19-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-02-14 11:19:22 CET

CVE-2023-6516 only affects 9.16.x

Summary: bind new security issues CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868 => bind new security issues CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-50387, CVE-2023-50868
CVE: CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868 => CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-50387, CVE-2023-50868

Comment 2 Nicolas Salguero 2024-02-14 12:56:47 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Parsing large DNS messages may cause excessive CPU load. (CVE-2023-4408)

Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled. (CVE-2023-5517)

Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. (CVE-2023-5679)

KeyTrap - Extreme CPU consumption in DNSSEC validator. (CVE-2023-50387)

Preparing an NSEC3 closest encloser proof can exhaust CPU resources. (CVE-2023-50868)

References:
https://kb.isc.org/docs/cve-2023-4408
https://kb.isc.org/docs/cve-2023-5517
https://kb.isc.org/docs/cve-2023-5679
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#notes-for-bind-9-18-24
========================

Updated packages in core/updates_testing:
========================
bind-9.18.15-2.3.mga9
bind-chroot-9.18.15-2.3.mga9
bind-devel-9.18.15-2.3.mga9
bind-dlz-filesystem-9.18.15-2.3.mga9
bind-dlz-ldap-9.18.15-2.3.mga9
bind-dlz-mysql-9.18.15-2.3.mga9
bind-dlz-sqlite3-9.18.15-2.3.mga9
bind-dnssec-utils-9.18.15-2.3.mga9
bind-utils-9.18.15-2.3.mga9
lib(64)bind9.18.15-9.18.15-2.3.mga9

from SRPM:
bind-9.18.15-2.3.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Source RPM: bind-9.18.19-1.mga10.src.rpm => bind-9.18.15-2.2.mga9.src.rpm
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Status comment: Patches available from upstream and fixed upstream in 9.18.24 => (none)

Marja Van Waes 2024-02-14 15:52:41 CET

URL: (none) => https://kb.isc.org/docs/cve-2023-4408 https://kb.isc.org/docs/cve-2023-5517 https://kb.isc.org/docs/cve-2023-5679 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#notes-for-bind-9-18-24
CC: (none) => marja11

Marja Van Waes 2024-02-14 15:55:31 CET

Keywords: (none) => advisory

katnatek 2024-02-15 03:44:12 CET

CC: (none) => jim

Comment 3 katnatek 2024-02-15 03:44:51 CET

@james Whitby, you ask for this in other bug

Comment 4 Len Lawrence 2024-02-15 17:03:19 CET

Mageia9, x86_64

Installed any core release packages which were missing.
Updated smoothly via qarepo and MageiaUpdate.
Referred to bug 30184 for simple tests.

Started the bind server and ran some user commands.
$ dig @localhost mageia.org
; <<>> DiG 9.18.15 <<>> @localhost mageia.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35199
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 42925542de94883b0100000065ce343b4a47a67ae2f9d52f (good)
;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1800	IN	A	163.172.148.228

;; Query time: 334 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Thu Feb 15 15:56:43 GMT 2024
;; MSG SIZE  rcvd: 83

$ nslookup 163.172.148.228
228.148.172.163.in-addr.arpa	name = neru.mageia.org.

$ nslookup host canopus
;; communications error to 192.168.1.64#53: connection refused
I guess that is alright.
$ nslookup 192.168.1.225
225.1.168.192.in-addr.arpa	name = spica.

$ delv @yildun -4 -c IN google.com A
;; connection refused resolving 'google.com/A/IN': 192.168.1.106#53
;; resolution failed: SERVFAIL

$ host virginmedia.com
virginmedia.com has address 34.96.124.227
virginmedia.com mail is handled by 10 mxin10.virginmedia.com.
virginmedia.com mail is handled by 5 mxin5.virginmedia.com.

$ nslookup 213.105.9.24
24.9.105.213.in-addr.arpa	name = www.virginmedia.com.
Authoritative answers can be found from:

$ nslookup 34.96.124.227
227.124.96.34.in-addr.arpa	name = 227.124.96.34.bc.googleusercontent.com.
Authoritative answers can be found from:

Not enough knowledge to tackle anything ambitious but it looks OK at this simple level.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Comment 5 Dave Hodgins 2024-02-15 18:33:26 CET

No regressions noticed, though I don't use dnssec in my bind configuration
as it would break other non-standard things I do use bind for.

$ dig bugs.mageia.org

; <<>> DiG 9.18.15 <<>> bugs.mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27103
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9172ae9f7700769c0100000065ce49f86fa3e30bb38f5290 (good)
;; QUESTION SECTION:
;bugs.mageia.org.               IN      A

;; ANSWER SECTION:
bugs.mageia.org.        1800    IN      CNAME   sucuk.mageia.org.
sucuk.mageia.org.       1800    IN      A       212.85.158.151

;; Query time: 1150 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 12:29:28 EST 2024
;; MSG SIZE  rcvd: 108

The dig command shows the response is coming from bind running on the
same system. Validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2024-02-15 19:37:06 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0038.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED