ISC has issued advisories on February 13: https://kb.isc.org/docs/cve-2023-4408 https://kb.isc.org/docs/cve-2023-5517 https://kb.isc.org/docs/cve-2023-5679 https://kb.isc.org/docs/cve-2023-6516 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 The issues are fixed upstream in 9.18.24: https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#notes-for-bind-9-18-24 Patches are here: https://downloads.isc.org/isc/bind9/9.18.24/patches/ Mageia 9 is also affected.
CVE: (none) => CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868Status comment: (none) => Patches available from upstream and fixed upstream in 9.18.24Source RPM: (none) => bind-9.18.19-1.mga10.src.rpmWhiteboard: (none) => MGA9TOO
CVE-2023-6516 only affects 9.16.x
Summary: bind new security issues CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868 => bind new security issues CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-50387, CVE-2023-50868CVE: CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868 => CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-50387, CVE-2023-50868
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Parsing large DNS messages may cause excessive CPU load. (CVE-2023-4408) Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled. (CVE-2023-5517) Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. (CVE-2023-5679) KeyTrap - Extreme CPU consumption in DNSSEC validator. (CVE-2023-50387) Preparing an NSEC3 closest encloser proof can exhaust CPU resources. (CVE-2023-50868) References: https://kb.isc.org/docs/cve-2023-4408 https://kb.isc.org/docs/cve-2023-5517 https://kb.isc.org/docs/cve-2023-5679 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#notes-for-bind-9-18-24 ======================== Updated packages in core/updates_testing: ======================== bind-9.18.15-2.3.mga9 bind-chroot-9.18.15-2.3.mga9 bind-devel-9.18.15-2.3.mga9 bind-dlz-filesystem-9.18.15-2.3.mga9 bind-dlz-ldap-9.18.15-2.3.mga9 bind-dlz-mysql-9.18.15-2.3.mga9 bind-dlz-sqlite3-9.18.15-2.3.mga9 bind-dnssec-utils-9.18.15-2.3.mga9 bind-utils-9.18.15-2.3.mga9 lib(64)bind9.18.15-9.18.15-2.3.mga9 from SRPM: bind-9.18.15-2.3.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Source RPM: bind-9.18.19-1.mga10.src.rpm => bind-9.18.15-2.2.mga9.src.rpmVersion: Cauldron => 9Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patches available from upstream and fixed upstream in 9.18.24 => (none)
URL: (none) => https://kb.isc.org/docs/cve-2023-4408 https://kb.isc.org/docs/cve-2023-5517 https://kb.isc.org/docs/cve-2023-5679 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#notes-for-bind-9-18-24CC: (none) => marja11
Keywords: (none) => advisory
CC: (none) => jim
@james Whitby, you ask for this in other bug
Mageia9, x86_64 Installed any core release packages which were missing. Updated smoothly via qarepo and MageiaUpdate. Referred to bug 30184 for simple tests. Started the bind server and ran some user commands. $ dig @localhost mageia.org ; <<>> DiG 9.18.15 <<>> @localhost mageia.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35199 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 42925542de94883b0100000065ce343b4a47a67ae2f9d52f (good) ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 163.172.148.228 ;; Query time: 334 msec ;; SERVER: 127.0.0.1#53(localhost) (UDP) ;; WHEN: Thu Feb 15 15:56:43 GMT 2024 ;; MSG SIZE rcvd: 83 $ nslookup 163.172.148.228 228.148.172.163.in-addr.arpa name = neru.mageia.org. $ nslookup host canopus ;; communications error to 192.168.1.64#53: connection refused I guess that is alright. $ nslookup 192.168.1.225 225.1.168.192.in-addr.arpa name = spica. $ delv @yildun -4 -c IN google.com A ;; connection refused resolving 'google.com/A/IN': 192.168.1.106#53 ;; resolution failed: SERVFAIL $ host virginmedia.com virginmedia.com has address 34.96.124.227 virginmedia.com mail is handled by 10 mxin10.virginmedia.com. virginmedia.com mail is handled by 5 mxin5.virginmedia.com. $ nslookup 213.105.9.24 24.9.105.213.in-addr.arpa name = www.virginmedia.com. Authoritative answers can be found from: $ nslookup 34.96.124.227 227.124.96.34.in-addr.arpa name = 227.124.96.34.bc.googleusercontent.com. Authoritative answers can be found from: Not enough knowledge to tackle anything ambitious but it looks OK at this simple level.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
No regressions noticed, though I don't use dnssec in my bind configuration as it would break other non-standard things I do use bind for. $ dig bugs.mageia.org ; <<>> DiG 9.18.15 <<>> bugs.mageia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27103 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 9172ae9f7700769c0100000065ce49f86fa3e30bb38f5290 (good) ;; QUESTION SECTION: ;bugs.mageia.org. IN A ;; ANSWER SECTION: bugs.mageia.org. 1800 IN CNAME sucuk.mageia.org. sucuk.mageia.org. 1800 IN A 212.85.158.151 ;; Query time: 1150 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Thu Feb 15 12:29:28 EST 2024 ;; MSG SIZE rcvd: 108 The dig command shows the response is coming from bind running on the same system. Validating the update.
CC: (none) => davidwhodgins, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0038.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED