Lucene search

K
debianDebianDEBIAN:DLA-3138-1:2F5A9
HistoryOct 05, 2022 - 3:21 p.m.

[SECURITY] [DLA 3138-1] bind9 security update

2022-10-0515:21:42
lists.debian.org
30
debian lts
bind9
cve-2022-2795
cve-2022-38177
cve-2022-38178
dns server
denial of service
dnssec verification
security update

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

8.2

Confidence

High

EPSS

0.005

Percentile

75.2%


Debian LTS Advisory DLA-3138-1 [email protected]
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 05, 2022 https://wiki.debian.org/LTS


Package : bind9
Version : 1:9.11.5.P4+dfsg-5.1+deb10u8
CVE ID : CVE-2022-2795 CVE-2022-38177 CVE-2022-38178

Several vulnerabilities were discovered in BIND, a DNS server
implementation.

CVE-2022-2795

Yehuda Afek, Anat Bremler-Barr and Shani Stajnrod discovered that a
flaw in the resolver code can cause named to spend excessive amounts
of time on processing large delegations, significantly degrade
resolver performance and result in denial of service.

CVE-2022-38177

It was discovered that the DNSSEC verification code for the ECDSA
algorithm is susceptible to a memory leak flaw. A remote attacker
can take advantage of this flaw to cause BIND to consume resources,
resulting in a denial of service.

CVE-2022-38178

It was discovered that the DNSSEC verification code for the EdDSA
algorithm is susceptible to a memory leak flaw. A remote attacker
can take advantage of this flaw to cause BIND to consume resources,
resulting in a denial of service.

For Debian 10 buster, these problems have been fixed in version
1:9.11.5.P4+dfsg-5.1+deb10u8.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/bind9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

8.2

Confidence

High

EPSS

0.005

Percentile

75.2%