Debian Bind9 vulnerabilities

CVE-2023-50387 [HIGH] CVE-2023-50387: bind9 - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and r... Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must eval

CVE-2023-5517 [HIGH] CVE-2023-5517: bind9 - A flaw in query-handling code can cause `named` to exit prematurely with an asse... A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.

CVE-2023-2911 [HIGH] CVE-2023-2911: bind9 - If the `recursive-clients` quota is reached on a BIND 9 resolver configured with... If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 thro

CVE-2023-3341 [HIGH] CVE-2023-3341: bind9 - The code that processes control channel messages sent to `named` calls certain f... The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control c

CVE-2023-50868 [HIGH] CVE-2023-50868: bind9 - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276... The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash

CVE-2023-2828 [HIGH] CVE-2023-2828: bind9 - Every `named` instance configured to run as a recursive resolver maintains a cac... Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. Whe

CVE-2023-6516 [HIGH] CVE-2023-6516: bind9 - To keep its cache database efficient, `named` running as a recursive resolver oc... To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continu

CVE-2023-2829 [HIGH] CVE-2023-2829: bind9 - A `named` instance configured to run as a DNSSEC-validating recursive resolver w... A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1. Scope: local bookworm: res

CVE-2023-5680 [MEDIUM] CVE-2023-5680: bind9 - If a resolver cache has a very large number of ECS records stored for the same n... If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. Scope: local bookworm: resolved bullseye: resolve

CVE-2022-3094 [HIGH] CVE-2022-3094: bind9 - Sending a flood of dynamic DNS updates may cause `named` to allocate large amoun... Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client who

CVE-2022-1183 [HIGH] CVE-2022-1183: bind9 - On vulnerable configurations, the named daemon may, in some circumstances, termi... On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. Affects BIND 9.18.0 ->

CVE-2022-3736 [HIGH] CVE-2022-3736: bind9 - BIND 9 resolver can crash when stale cache and stale answers are enabled, option... BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1. Scope: local bookworm: resolved (fixed in 1:9.1

CVE-2022-0635 [HIGH] CVE-2022-0635: bind9 - Versions affected: BIND 9.18.0 When a vulnerable version of named receives a ser... Versions affected: BIND 9.18.0 When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check. Scope: local bookworm: resolved (fixed in 1:9.18.1-1) bullseye: resolved forky: resolved (fixed in 1:9.18.1-1) sid: resolved (fixed in 1:9.18.1-1) trixie: resolved (fixed in 1:9.18.1-1)

CVE-2022-3080 [HIGH] CVE-2022-3080: bind9 - By sending specific queries to the resolver, an attacker can cause named to cras... By sending specific queries to the resolver, an attacker can cause named to crash. Scope: local bookworm: resolved (fixed in 1:9.18.7-1) bullseye: resolved (fixed in 1:9.16.33-1~deb11u1) forky: resolved (fixed in 1:9.18.7-1) sid: resolved (fixed in 1:9.18.7-1) trixie: resolved (fixed in 1:9.18.7-1)

CVE-2022-2906 [HIGH] CVE-2022-2906: bind9 - An attacker can leverage this flaw to gradually erode available memory to the po... An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. Scope: local bookworm: resolved (fixed in 1:9.18.7-1) bullseye: resolved forky: resolved (fixed in 1:9.18.7-1) sid: resolved (fixed in

CVE-2022-38178 [HIGH] CVE-2022-38178: bind9 - By spoofing the target resolver with responses that have a malformed EdDSA signa... By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. Scope: local bookworm: resolved (fixed in 1:9.18.7-1) bullseye: resolved (fixed in 1:9.16.33-1~deb11u1) forky: resolved (fixed in 1:

CVE-2022-38177 [HIGH] CVE-2022-38177: bind9 - By spoofing the target resolver with responses that have a malformed ECDSA signa... By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. Scope: local bookworm: resolved (fixed in 1:9.17.20-1) bullseye: resolved (fixed in 1:9.16.33-1~deb11u1) forky: resolved (fixed in 1

CVE-2022-0667 [HIGH] CVE-2022-0667: bind9 - When the vulnerability is triggered the BIND process will exit. BIND 9.18.0 When the vulnerability is triggered the BIND process will exit. BIND 9.18.0 Scope: local bookworm: resolved (fixed in 1:9.18.1-1) bullseye: resolved forky: resolved (fixed in 1:9.18.1-1) sid: resolved (fixed in 1:9.18.1-1) trixie: resolved (fixed in 1:9.18.1-1)

CVE-2022-3924 [HIGH] CVE-2022-3924: bind9 - This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also... This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient

CVE-2022-0396 [MEDIUM] CVE-2022-0396: bind9 - BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 ... BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection. Scope: local bookworm: resolved (fixed in 1:9.18.1-1) bullseye: resolv