Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 891329 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924)

Summary: <net-dns/bind-9.16.37: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: chutzpah, hydrapolic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.isc.org/pipermail/bind-announce/2023-January/001228.html
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 894486    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-18 18:35:52 UTC 
"As part of our policy of pre-notification of upcoming security releases,
we are writing to inform you that the January 2023 BIND 9 maintenance
releases that will be published on Wednesday, 25 January will contain
patches for security vulnerabilities affecting stable BIND 9 release
branches."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 17:48:31 UTC 
"On 25 January 2023 we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software:

- CVE-2022-3094:        An UPDATE message flood may cause named to exhaust all available memory https://kb.isc.org/docs/cve-2022-3094
- CVE-2022-3736:        named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries https://kb.isc.org/docs/cve-2022-3736
- CVE-2022-3924:        named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota https://kb.isc.org/docs/cve-2022-3924"

Fixes in 9.16.37. Please bump.
Comment 2 Larry the Git Cow gentoo-dev 2023-01-28 08:09:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09f39d25aef1b24fc65a59f6d8386d9291fe6421

commit 09f39d25aef1b24fc65a59f6d8386d9291fe6421
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-28 07:58:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-28 08:08:33 +0000

    net-dns/bind-tools: add 9.16.37
    
    Bug: https://bugs.gentoo.org/891329
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/bind-tools/Manifest                  |   1 +
 net-dns/bind-tools/bind-tools-9.16.37.ebuild | 157 +++++++++++++++++++++++++++
 2 files changed, 158 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c3337706084b9c42a6387ce771a259357f9ec5e

commit 4c3337706084b9c42a6387ce771a259357f9ec5e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-28 07:53:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-28 08:08:32 +0000

    net-dns/bind: add 9.16.37
    
    Bug: https://bugs.gentoo.org/891329
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/bind/Manifest            |   1 +
 net-dns/bind/bind-9.16.37.ebuild | 382 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 383 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:00:55 UTC 
Please cleanup