DSA-5235-1

Source
https://storage.googleapis.com/debian-osv/dsa-osv/DSA-5235-1.json
Aliases
Published
2022-09-22T00:00:00Z
Modified
2022-09-22T21:18:52.075656Z
Details

Several vulnerabilities were discovered in BIND, a DNS server implementation.

  • CVE-2022-2795 Yehuda Afek, Anat Bremler-Barr and Shani Stajnrod discovered that a flaw in the resolver code can cause named to spend excessive amounts of time on processing large delegations, significantly degrade resolver performance and result in denial of service.
  • CVE-2022-3080 Maksym Odinintsev discovered that the resolver can crash when stale cache and stale answers are enabled with a zero stale-answer-timeout. A remote attacker can take advantage of this flaw to cause a denial of service (daemon crash) via specially crafted queries to the resolver.
  • CVE-2022-38177 It was discovered that the DNSSEC verification code for the ECDSA algorithm is susceptible to a memory leak flaw. A remote attacker can take advantage of this flaw to cause BIND to consume resources, resulting in a denial of service.
  • CVE-2022-38178 It was discovered that the DNSSEC verification code for the EdDSA algorithm is susceptible to a memory leak flaw. A remote attacker can take advantage of this flaw to cause BIND to consume resources, resulting in a denial of service.

For the stable distribution (bullseye), these problems have been fixed in version 1:9.16.33-1~deb11u1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9

References

Affected packages

Debian:11 / bind9

bind9

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
1:9.16.33-1~deb11u1

Affected versions

1:9.*

1:9.16.15-1
1:9.16.21-1
1:9.16.21-1+hurd.1
1:9.16.22-1~deb11u1
1:9.16.22-1~deb11u1~bpo10+1
1:9.16.27-1~deb11u1
1:9.16.27-1~deb11u1~bpo10+1