Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2025/01/29/1
Whiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 9.18.33, 9.20.5 and 9.21.4Source RPM: (none) => bind-9.18.30-1.mga10.src.rpm, bind-9.18.28-1.mga9.src.rpmCVE: (none) => CVE-2024-11187, CVE-2024-12705
Assigning globally; different packagers involved.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Many records in the additional section cause CPU exhaustion. (CVE-2024-11187) DNS-over-HTTPS implementation suffers from multiple issues under heavy query load. (CVE-2024-12705) References: https://www.openwall.com/lists/oss-security/2025/01/29/1 ======================== Updated packages in core/updates_testing: ======================== bind-9.18.33-1.mga9 bind-chroot-9.18.33-1.mga9 bind-devel-9.18.33-1.mga9 bind-dnssec-utils-9.18.33-1.mga9 bind-utils-9.18.33-1.mga9 lib(64)bind9.18.33-9.18.33-1.mga9 from SRPM: bind-9.18.33-1.mga9.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 9Source RPM: bind-9.18.30-1.mga10.src.rpm, bind-9.18.28-1.mga9.src.rpm => bind-9.18.28-1.mga9.src.rpmAssignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO => (none)Status comment: Fixed upstream in 9.18.33, 9.20.5 and 9.21.4 => (none)
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Opened firewall for DNS. $ nslookup mach2 Server: 192.168.2.1 Address: 192.168.2.1#53 Name: mach2.hviaene.thuis Address: 192.168.2.2 [tester9@mach3 ~]$ dig mach2 ; <<>> DiG 9.18.33 <<>> mach2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9734 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 7b65b9b29f5dfaf001000000679defd3d3347e414f81db10 (good) ;; QUESTION SECTION: ;mach2. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025020100 1800 900 604800 86400 ;; Query time: 20 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) (UDP) ;; WHEN: Sat Feb 01 10:56:35 CET 2025 ;; MSG SIZE rcvd: 137 and # systemctl start named-chroot # systemctl -l status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; preset: disabled) Active: active (running) since Sat 2025-02-01 11:10:29 CET; 11s ago Process: 61426 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"> Process: 61432 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 61433 (named) Tasks: 6 (limit: 8806) Memory: 6.4M CPU: 218ms CGroup: /system.slice/named-chroot.service └─61433 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: network unreachable resolving './NS/IN': 2001:500:200::b#53 Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53 Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: network unreachable resolving './NS/IN': 2001:500:2f::f#53 Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: network unreachable resolving './NS/IN': 2001:500:2d::d#53 Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete) Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: checkhints: b.root-servers.net/A (170.247.170.2) missing from hints Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints Feb 01 11:10:29 mach3.hviaene.thuis named[61433]: checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints There are two things bothering me, but they are no regressions. What are these "network unreachable" lines, I don't recognize aany of these addresses? When I lauch named-chroot, I would expect the config from /var/named/chroot/etc, not from /etc. That is one of the reasons I struggle with setting up a DNS server. Not testing that now for lack of time.
CC: (none) => herman.viaene
After some desperate searching, got a proper DNS server running, that resolves an nslookup request properly. That is:running named. Running named-chroot is beyond me. So, if nobody jumps in to do more or better testing, give it a go.
No further reaction, so go.
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_updateCC: (none) => fri, sysadmin-bugs
You beat me to it, Morgan. :)
CC: (none) => andrewsfarm
:-)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0036.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED