CVE-2022-2795 (https://kb.isc.org/docs/cve-2022-2795): By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. CVE-2022-2881 (https://kb.isc.org/docs/cve-2022-2881): The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. CVE-2022-2906 (https://kb.isc.org/docs/cve-2022-2906): An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. CVE-2022-3080 (https://kb.isc.org/docs/cve-2022-3080): By sending specific queries to the resolver, an attacker can cause named to crash. CVE-2022-38177 (https://kb.isc.org/docs/cve-2022-38177): By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. CVE-2022-38178 (https://kb.isc.org/docs/cve-2022-38178): By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. Please bump to 9.16.33.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db4b4a079e23dcbed3ff3ce9a400636bbb0f6ba commit 3db4b4a079e23dcbed3ff3ce9a400636bbb0f6ba Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-23 05:40:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-23 05:40:46 +0000 net-dns/bind-tools: add 9.16.33 Bug: https://bugs.gentoo.org/872206 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind-tools/Manifest | 1 + net-dns/bind-tools/bind-tools-9.16.33.ebuild | 157 +++++++++++++++++++++++++++ 2 files changed, 158 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aa557c48ed05bf648c2b6bf2d3699527eff4f34 commit 9aa557c48ed05bf648c2b6bf2d3699527eff4f34 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-23 05:40:36 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-23 05:40:36 +0000 net-dns/bind: add 9.16.33 Bug: https://bugs.gentoo.org/872206 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/Manifest | 1 + net-dns/bind/bind-9.16.33.ebuild | 382 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 383 insertions(+)
Please cleanup
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bdc575dae63f16d44b926f18271d15d3173fc5f commit 8bdc575dae63f16d44b926f18271d15d3173fc5f Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-31 01:19:33 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:20:11 +0000 net-dns/bind: security cleanup Bug: https://bugs.gentoo.org/820563 Bug: https://bugs.gentoo.org/835439 Bug: https://bugs.gentoo.org/872206 Acked-by: Patrick McLean <chutzpah@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> net-dns/bind/Manifest | 5 - net-dns/bind/bind-9.16.27-r1.ebuild | 375 -------------------- net-dns/bind/bind-9.16.29-r1.ebuild | 376 -------------------- net-dns/bind/bind-9.16.29.ebuild | 375 -------------------- net-dns/bind/bind-9.16.30.ebuild | 381 -------------------- net-dns/bind/bind-9.16.31.ebuild | 382 --------------------- net-dns/bind/bind-9.16.32.ebuild | 382 --------------------- .../bind/files/bind-9.16.29-fortify-source-3.patch | 35 -- 8 files changed, 2311 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3ff54f9ebabdb1f657769518402d72abd34fbdcb commit 3ff54f9ebabdb1f657769518402d72abd34fbdcb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:18:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:16 +0000 [ GLSA 202210-25 ] ISC BIND: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/820563 Bug: https://bugs.gentoo.org/835439 Bug: https://bugs.gentoo.org/872206 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-25.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+)
GLSA released, all done!
