ISC has issued advisories today (September 21): https://kb.isc.org/docs/cve-2022-2795 https://kb.isc.org/docs/cve-2022-2881 https://kb.isc.org/docs/cve-2022-2906 https://kb.isc.org/docs/cve-2022-3080 https://kb.isc.org/docs/cve-2022-38177 https://kb.isc.org/docs/cve-2022-38178 CVE-2022-2795, CVE-2022-38177, and CVE-2022-2022-38178 also affect Mageia 8.
The issues are fixed upstream in 9.18.7: https://downloads.isc.org/isc/bind9/9.18.7/doc/arm/html/notes.html#id22
Status comment: (none) => Fixed upstream in 9.18.7Whiteboard: (none) => MGA8TOO
Patches for 9.16.x (which may help for 9.11.x) are here: https://downloads.isc.org/isc/bind9/9.16.33/patches/
bind-9.18.7-1.mga9 uploaded for Cauldron. Ubuntu has issued an advisory for this today (September 21): https://ubuntu.com/security/notices/USN-5626-1 They have patches for 9.11.x in Ubuntu 18.04.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Source RPM: bind-9.18.6-1.mga9.src.rpm => bind-9.11.37-1.mga8.src.rpm
Debian-LTS has issued an advisory for three of these issues on October 5: https://www.debian.org/lts/security/2022/dla-3138
Suggested advisory: ======================== The updated packages fix security vulnerabilities: By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. (CVE-2022-2795) By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. (CVE-2022-38177, CVE-2022-38178) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38177 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38178 https://kb.isc.org/docs/cve-2022-2795 https://kb.isc.org/docs/cve-2022-38177 https://kb.isc.org/docs/cve-2022-38178 https://ubuntu.com/security/notices/USN-5626-1 https://www.debian.org/lts/security/2022/dla-3138 ======================== Updated packages in core/updates_testing: ======================== bind-9.11.37-1.1.mga8 bind-chroot-9.11.37-1.1.mga8 bind-devel-9.11.37-1.1.mga8 bind-dnssec-utils-9.11.37-1.1.mga8 bind-pkcs11-9.11.37-1.1.mga8 bind-pkcs11-devel-9.11.37-1.1.mga8 bind-pkcs11-utils-9.11.37-1.1.mga8 bind-sdb-9.11.37-1.1.mga8 bind-sdb-chroot-9.11.37-1.1.mga8 bind-utils-9.11.37-1.1.mga8 lib64bind9_161-9.11.37-1.1.mga8 lib64dns1115-9.11.37-1.1.mga8 lib64dns_pkcs11_1115-9.11.37-1.1.mga8 lib64irs161-9.11.37-1.1.mga8 lib64isc1107-9.11.37-1.1.mga8 lib64isc_pkcs11_1107-9.11.37-1.1.mga8 lib64isccc161-9.11.37-1.1.mga8 lib64isccfg163-9.11.37-1.1.mga8 lib64lwres161-9.11.37-1.1.mga8 python3-bind-9.11.37-1.1.mga8 from SRPM: bind-9.11.37-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 9.18.7 => (none)Status: NEW => ASSIGNEDAssignee: guillomovitch => qa-bugs
No regressions in bind noticed on two systems. Validating. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0388.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED