Headline
RHSA-2023:2261: Red Hat Security Advisory: bind security and bug fix update
An update for bind is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver’s performance, effectively denying legitimate clients access to the DNS resolution service.
- CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large amounts of memory. This issue may cause named to exit due to a lack of free memory, resulting in a denial of service (DoS).
- CVE-2022-3736: A flaw was found in Bind, where a resolver crash is possible. When stale cache and stale answers are enabled, the option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query.
- CVE-2022-3924: A flaw was found in Bind. When resolver receives many queries requiring recursion, there will be a corresponding increase in the number of clients waiting for recursion to complete. This may, under certain conditions, lead to an assertion failure and a denial of service.
Synopsis
Moderate: bind security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for bind is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix(es):
- bind: processing large delegations may severely degrade resolver performance (CVE-2022-2795)
- bind: flooding with UPDATE requests may lead to DoS (CVE-2022-3094)
- bind: sending specific queries to the resolver may cause a DoS (CVE-2022-3736)
- bind: sending specific queries to the resolver may cause a DoS (CVE-2022-3924)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, the BIND daemon (named) will be restarted automatically.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for x86_64 9 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
Fixes
- BZ - 2126912 - named-pkcs11 crashing into dns-pkcs11 library red-black tree [bind rhel-9.2.0]
- BZ - 2128584 - CVE-2022-2795 bind: processing large delegations may severely degrade resolver performance
- BZ - 2129466 - bind-chroot-9.16.23-1.el9.x86_64 fails to create mount point /var/named/chroot/usr/lib64/named in chroot
- BZ - 2162795 - bind-dyndb-ldap fail to build with current bind 9.16.23 [rhel9]
- BZ - 2164032 - CVE-2022-3094 bind: flooding with UPDATE requests may lead to DoS
- BZ - 2164038 - CVE-2022-3736 bind: sending specific queries to the resolver may cause a DoS
- BZ - 2164039 - CVE-2022-3924 bind: sending specific queries to the resolver may cause a DoS
CVEs
- CVE-2022-2795
- CVE-2022-3094
- CVE-2022-3736
- CVE-2022-3924
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
bind-9.16.23-11.el9.src.rpm
SHA-256: 418d528c7cd8efa7a6319eae21de86c5b175fb27fc1a30d49b2bb39d9939cf94
x86_64
bind-9.16.23-11.el9.x86_64.rpm
SHA-256: 8e76c79e50e1e261fa7c2d99a292091a63354feb7a6348088ecaf6c9c6846655
bind-chroot-9.16.23-11.el9.x86_64.rpm
SHA-256: 3eaab1d239c97c9bc7c38a479659c85da0b84184b60c3fb8887ff5a2879993a7
bind-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: f54cea0203fbf6385314c9f4cbcc89b49bf597181e21e34280c3f6a27d0ad40c
bind-debugsource-9.16.23-11.el9.x86_64.rpm
SHA-256: c8f6523d43eedee14a290d617bf12d727037b19ca906a7ea51b6e574cb4718e8
bind-dnssec-doc-9.16.23-11.el9.noarch.rpm
SHA-256: f06feeadbfb3b951827e26806599bc502ce43e1e7504657d704e40263e134b50
bind-dnssec-utils-9.16.23-11.el9.x86_64.rpm
SHA-256: f62b43d0b9c744250b3d0d16df86427efd48970b939cf1af093dcaf43bcb70f6
bind-dnssec-utils-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: 2f4494c26d129d4824a8e796bcaa3ea3cc11217161f31afa812820517d9c269a
bind-libs-9.16.23-11.el9.x86_64.rpm
SHA-256: 8841636be9acb9cab26fc9c6e9be02db7ad9a2e3a82b85bb178a7aa4975b190c
bind-libs-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: 79f5b7cdf366b00f0b532f0d8b5bd4b1d1c12a84fe6d5d424aaa61dfde336b24
bind-license-9.16.23-11.el9.noarch.rpm
SHA-256: 4c1d4ebc5c0e50e7474ddd542abcc672f7077ac56af905c7467f9967f25350ae
bind-utils-9.16.23-11.el9.x86_64.rpm
SHA-256: be53692911e33fccfce82a09c35e65f64108e65eb0d375b2592e0c58a8ce6129
bind-utils-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: 885892354f8ad8d6ca988a55ad809b1fd6156df3f7fabdd603fb33b84aea210b
python3-bind-9.16.23-11.el9.noarch.rpm
SHA-256: 20d3574de82e1974c542a154f2859c197beb6ed11df4aaa839a3ef4c557f6b60
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
bind-9.16.23-11.el9.src.rpm
SHA-256: 418d528c7cd8efa7a6319eae21de86c5b175fb27fc1a30d49b2bb39d9939cf94
s390x
bind-9.16.23-11.el9.s390x.rpm
SHA-256: 5bd4f5184a4c709efcf4d442fd2dfa8e205916899b4a454efc1376acf233b1c4
bind-chroot-9.16.23-11.el9.s390x.rpm
SHA-256: 5f68c2539c4ef31876e165d3e402c15f3e125adf9c04e35b70f5a04eeb1ca7a8
bind-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 5530723c7fceb7634c218d0029cd0e1ce322b25ba29a256171382d474ae91754
bind-debugsource-9.16.23-11.el9.s390x.rpm
SHA-256: f0edf85893709303569663c70fe0e76300b9aa0e4a360f6a793c2bfa1768795f
bind-dnssec-doc-9.16.23-11.el9.noarch.rpm
SHA-256: f06feeadbfb3b951827e26806599bc502ce43e1e7504657d704e40263e134b50
bind-dnssec-utils-9.16.23-11.el9.s390x.rpm
SHA-256: 0f29859103095b58cfa1d85c8165af88208b7b71cf0a00a86691d316329fe700
bind-dnssec-utils-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 4e1619892539c8534e4b348af1173b2d11a49547834288d5dffada82098c8718
bind-libs-9.16.23-11.el9.s390x.rpm
SHA-256: c172776ea6ef524ca92a7480b134761dd9cfd4441dd7ae7c36b8075fc3c73221
bind-libs-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 212b645be4753b0dd1b302a2e2433ce65d83380d768bf3dc86f87535b74446e8
bind-license-9.16.23-11.el9.noarch.rpm
SHA-256: 4c1d4ebc5c0e50e7474ddd542abcc672f7077ac56af905c7467f9967f25350ae
bind-utils-9.16.23-11.el9.s390x.rpm
SHA-256: 408c83bd41a4b4e67486b878a1445f741fcd08c8e8ef71641e51d09595c8911a
bind-utils-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 7f7ddaa50f6d8094dc99f983a63dd6e4f3da3fdbdfa3e9c6ded561e6d7b095f3
python3-bind-9.16.23-11.el9.noarch.rpm
SHA-256: 20d3574de82e1974c542a154f2859c197beb6ed11df4aaa839a3ef4c557f6b60
Red Hat Enterprise Linux for Power, little endian 9
SRPM
bind-9.16.23-11.el9.src.rpm
SHA-256: 418d528c7cd8efa7a6319eae21de86c5b175fb27fc1a30d49b2bb39d9939cf94
ppc64le
bind-9.16.23-11.el9.ppc64le.rpm
SHA-256: 1cb0b14f82dc5974cdd6df616e23ec99bc04f814721eb4ba8090511ef45d2026
bind-chroot-9.16.23-11.el9.ppc64le.rpm
SHA-256: 7f26b8801be077326918ac9bcbb2f5a0225f0a63d1c782347d1fe350a85deff9
bind-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: 997319916165fee2a9ba9c425c01ea03bcb2fd30159b7df2d71980c6cbeb264a
bind-debugsource-9.16.23-11.el9.ppc64le.rpm
SHA-256: 038aa9ee65c6bc600b493a2cdd9d4cd9148db05f84ef796085368d9b9b901d95
bind-dnssec-doc-9.16.23-11.el9.noarch.rpm
SHA-256: f06feeadbfb3b951827e26806599bc502ce43e1e7504657d704e40263e134b50
bind-dnssec-utils-9.16.23-11.el9.ppc64le.rpm
SHA-256: b8ae59880108195e8a774f33ad780d6501cfc395da29ab1450412bfd3aa38bc0
bind-dnssec-utils-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: d582e97eaaae15654b06abf54a20d90906a4bdd4424cca553e0c982f8a12d5fe
bind-libs-9.16.23-11.el9.ppc64le.rpm
SHA-256: acbd10ad3d5384d8f85207c610b97591061678199a360994b0cb5b329efb5cd8
bind-libs-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: e805b4dc3615f6e9050eb0d143f8463389937f53ec4f9985daa7d5d3f8d6bfa2
bind-license-9.16.23-11.el9.noarch.rpm
SHA-256: 4c1d4ebc5c0e50e7474ddd542abcc672f7077ac56af905c7467f9967f25350ae
bind-utils-9.16.23-11.el9.ppc64le.rpm
SHA-256: 252a22dd71809374d233b569d0d674db86012b4ea421747e84b101396bfe1f18
bind-utils-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: c7391f5ce551f318e4de3a70e3e46bc428d57224b142e8778a125e62c2c55591
python3-bind-9.16.23-11.el9.noarch.rpm
SHA-256: 20d3574de82e1974c542a154f2859c197beb6ed11df4aaa839a3ef4c557f6b60
Red Hat Enterprise Linux for ARM 64 9
SRPM
bind-9.16.23-11.el9.src.rpm
SHA-256: 418d528c7cd8efa7a6319eae21de86c5b175fb27fc1a30d49b2bb39d9939cf94
aarch64
bind-9.16.23-11.el9.aarch64.rpm
SHA-256: 96425f33a6e3c7ce27b4dd97e587bb26e29f46ce2f0fde8b3aa60a8978a45998
bind-chroot-9.16.23-11.el9.aarch64.rpm
SHA-256: 4aa4f93f3fda8e25699e62928156f84d2356a0fe0afe979cf20c68bf5769a2d2
bind-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: afb937f7628135b33ad9c093391b6803658446e5535ab7f9ca64f05e1ddecffa
bind-debugsource-9.16.23-11.el9.aarch64.rpm
SHA-256: 1649a78c1f55c4c57eec1c1c2be068d94f6d9ca7b07c61ce95631f83205f32fb
bind-dnssec-doc-9.16.23-11.el9.noarch.rpm
SHA-256: f06feeadbfb3b951827e26806599bc502ce43e1e7504657d704e40263e134b50
bind-dnssec-utils-9.16.23-11.el9.aarch64.rpm
SHA-256: f0dda1cf6370b186a80f216beb29311995497796ff8f464916c61d4f6c43aff0
bind-dnssec-utils-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: a09a0c1a85918bc5b794e8d61b4104137e2fd4f692ac5f81c5ae2656e8aad369
bind-libs-9.16.23-11.el9.aarch64.rpm
SHA-256: 7a6739544b983057233355fe758469e300090c919b4d3cc50591db3c23b27a7e
bind-libs-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: f3c1d1f545ac2c673c78deee3c0c3141e61fcfe800dadb114d403606de4628f9
bind-license-9.16.23-11.el9.noarch.rpm
SHA-256: 4c1d4ebc5c0e50e7474ddd542abcc672f7077ac56af905c7467f9967f25350ae
bind-utils-9.16.23-11.el9.aarch64.rpm
SHA-256: 659e762f5c47947ebd7a62cfc7812f4a0e8202d454570515bc00adcff17fa91f
bind-utils-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: cb5a95a2d76b896f2e0709fb34958053dfadca31ff7e6878e19e0c973355fb56
python3-bind-9.16.23-11.el9.noarch.rpm
SHA-256: 20d3574de82e1974c542a154f2859c197beb6ed11df4aaa839a3ef4c557f6b60
Red Hat CodeReady Linux Builder for x86_64 9
SRPM
x86_64
bind-debuginfo-9.16.23-11.el9.i686.rpm
SHA-256: 639236cf3c4960e1aba4911cb19221b5b152d12ef04725b645fda6bcd0b66665
bind-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: f54cea0203fbf6385314c9f4cbcc89b49bf597181e21e34280c3f6a27d0ad40c
bind-debugsource-9.16.23-11.el9.i686.rpm
SHA-256: 5b83505d1b1c2dac733e8b71a30388d43ab3e2f11668be49296f99b5579aca73
bind-debugsource-9.16.23-11.el9.x86_64.rpm
SHA-256: c8f6523d43eedee14a290d617bf12d727037b19ca906a7ea51b6e574cb4718e8
bind-devel-9.16.23-11.el9.i686.rpm
SHA-256: 3756834fddc5b53abea7c93303b066590f07db03a999a7e1569f532ef2c48377
bind-devel-9.16.23-11.el9.x86_64.rpm
SHA-256: e2a882933e871fbea492b650bd3943dd7f487ff54e472521ef2b02668322183e
bind-dnssec-utils-debuginfo-9.16.23-11.el9.i686.rpm
SHA-256: 049263a9b17d6d45f124df2dd5b546be52ffe1775c62ff24199d5e9ea70710cd
bind-dnssec-utils-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: 2f4494c26d129d4824a8e796bcaa3ea3cc11217161f31afa812820517d9c269a
bind-doc-9.16.23-11.el9.noarch.rpm
SHA-256: 58dd6b55d6affbd0a052dbd19aef37fcc45aeac1bdb6bfe300163bd3f81004f5
bind-libs-9.16.23-11.el9.i686.rpm
SHA-256: 01bf1bdecdb54a3a44e64ab09dac3655f25ac30f3b2450b07c85366c6e985281
bind-libs-debuginfo-9.16.23-11.el9.i686.rpm
SHA-256: 04ed9bc0c0f2ca52af03bdea758c130e4d243b8cae3189ab6794777d7f648d69
bind-libs-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: 79f5b7cdf366b00f0b532f0d8b5bd4b1d1c12a84fe6d5d424aaa61dfde336b24
bind-utils-debuginfo-9.16.23-11.el9.i686.rpm
SHA-256: 8e29b2e01074a8bd3dfb8224921abbde5fbf2b6c278b5f60ecb760be8dbd15af
bind-utils-debuginfo-9.16.23-11.el9.x86_64.rpm
SHA-256: 885892354f8ad8d6ca988a55ad809b1fd6156df3f7fabdd603fb33b84aea210b
Red Hat CodeReady Linux Builder for Power, little endian 9
SRPM
ppc64le
bind-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: 997319916165fee2a9ba9c425c01ea03bcb2fd30159b7df2d71980c6cbeb264a
bind-debugsource-9.16.23-11.el9.ppc64le.rpm
SHA-256: 038aa9ee65c6bc600b493a2cdd9d4cd9148db05f84ef796085368d9b9b901d95
bind-devel-9.16.23-11.el9.ppc64le.rpm
SHA-256: ba1582c801d3698daf2d30fcfca7f4eff828b35a8281a6e34e354f6a95a4a8dd
bind-dnssec-utils-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: d582e97eaaae15654b06abf54a20d90906a4bdd4424cca553e0c982f8a12d5fe
bind-doc-9.16.23-11.el9.noarch.rpm
SHA-256: 58dd6b55d6affbd0a052dbd19aef37fcc45aeac1bdb6bfe300163bd3f81004f5
bind-libs-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: e805b4dc3615f6e9050eb0d143f8463389937f53ec4f9985daa7d5d3f8d6bfa2
bind-utils-debuginfo-9.16.23-11.el9.ppc64le.rpm
SHA-256: c7391f5ce551f318e4de3a70e3e46bc428d57224b142e8778a125e62c2c55591
Red Hat CodeReady Linux Builder for ARM 64 9
SRPM
aarch64
bind-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: afb937f7628135b33ad9c093391b6803658446e5535ab7f9ca64f05e1ddecffa
bind-debugsource-9.16.23-11.el9.aarch64.rpm
SHA-256: 1649a78c1f55c4c57eec1c1c2be068d94f6d9ca7b07c61ce95631f83205f32fb
bind-devel-9.16.23-11.el9.aarch64.rpm
SHA-256: 7a56b8d215b8c4b8cde4725dc27704b823781edda83f828e56cbb43521c0fc26
bind-dnssec-utils-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: a09a0c1a85918bc5b794e8d61b4104137e2fd4f692ac5f81c5ae2656e8aad369
bind-doc-9.16.23-11.el9.noarch.rpm
SHA-256: 58dd6b55d6affbd0a052dbd19aef37fcc45aeac1bdb6bfe300163bd3f81004f5
bind-libs-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: f3c1d1f545ac2c673c78deee3c0c3141e61fcfe800dadb114d403606de4628f9
bind-utils-debuginfo-9.16.23-11.el9.aarch64.rpm
SHA-256: cb5a95a2d76b896f2e0709fb34958053dfadca31ff7e6878e19e0c973355fb56
Red Hat CodeReady Linux Builder for IBM z Systems 9
SRPM
s390x
bind-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 5530723c7fceb7634c218d0029cd0e1ce322b25ba29a256171382d474ae91754
bind-debugsource-9.16.23-11.el9.s390x.rpm
SHA-256: f0edf85893709303569663c70fe0e76300b9aa0e4a360f6a793c2bfa1768795f
bind-devel-9.16.23-11.el9.s390x.rpm
SHA-256: 4343093e889c93e938b081fdd1237eaece6d22d204fc80ca6bab06450f85c135
bind-dnssec-utils-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 4e1619892539c8534e4b348af1173b2d11a49547834288d5dffada82098c8718
bind-doc-9.16.23-11.el9.noarch.rpm
SHA-256: 58dd6b55d6affbd0a052dbd19aef37fcc45aeac1bdb6bfe300163bd3f81004f5
bind-libs-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 212b645be4753b0dd1b302a2e2433ce65d83380d768bf3dc86f87535b74446e8
bind-utils-debuginfo-9.16.23-11.el9.s390x.rpm
SHA-256: 7f7ddaa50f6d8094dc99f983a63dd6e4f3da3fdbdfa3e9c6ded561e6d7b095f3
Related news
Red Hat Security Advisory 2023-7177-01 - An update for bind is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.9 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.4 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties.
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted inpu...
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...
Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host o...
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2023-2792-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a denial of service vulnerability.
An update for bind is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
An update for bind9.16 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large am...
The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. "A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity
The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. "A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity
The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. "A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity
Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.
Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.
Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.
This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of int...
BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
Ubuntu Security Notice 5827-1 - Rob Schulhof discovered that Bind incorrectly handled a large number of UPDATE messages. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. Borja Marcos discovered that Bind incorrectly handled certain RRSIG queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10.
Ubuntu Security Notice 5827-1 - Rob Schulhof discovered that Bind incorrectly handled a large number of UPDATE messages. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. Borja Marcos discovered that Bind incorrectly handled certain RRSIG queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10.
Ubuntu Security Notice 5827-1 - Rob Schulhof discovered that Bind incorrectly handled a large number of UPDATE messages. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. Borja Marcos discovered that Bind incorrectly handled certain RRSIG queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10.
Red Hat Security Advisory 2023-0402-01 - An update for bind is now available for Red Hat Enterprise Linux 7.
An update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-25220: bind: DNS forwarders - cache poisoning vulnerability * CVE-2022-2795: bind: processing large delegations may severely degrade resolver performance
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Ubuntu Security Notice 5626-2 - USN-5626-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service.
Ubuntu Security Notice 5626-1 - Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service. It was discovered that Bind incorrectly handled statistics requests. A remote attacker could possibly use this issue to obtain sensitive memory contents, or cause a denial of service. This issue only affected Ubuntu 22.04 LTS.
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.