Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872206 (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178) - <net-dns/bind-9.16.33 <net-dns/bind-tools-9.16.33: multiple vulnerabilities
Summary: <net-dns/bind-9.16.33 <net-dns/bind-tools-9.16.33: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 872449
Blocks:
  Show dependency tree
 
Reported: 2022-09-21 14:45 UTC by John Helmert III
Modified: 2022-10-31 02:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 14:45:04 UTC
CVE-2022-2795 (https://kb.isc.org/docs/cve-2022-2795):

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.

CVE-2022-2881 (https://kb.isc.org/docs/cve-2022-2881):

The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.

CVE-2022-2906 (https://kb.isc.org/docs/cve-2022-2906):

An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

CVE-2022-3080 (https://kb.isc.org/docs/cve-2022-3080):

By sending specific queries to the resolver, an attacker can cause named to crash.

CVE-2022-38177 (https://kb.isc.org/docs/cve-2022-38177):

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

CVE-2022-38178 (https://kb.isc.org/docs/cve-2022-38178):

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Please bump to 9.16.33.
Comment 1 Larry the Git Cow gentoo-dev 2022-09-23 05:41:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db4b4a079e23dcbed3ff3ce9a400636bbb0f6ba

commit 3db4b4a079e23dcbed3ff3ce9a400636bbb0f6ba
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-23 05:40:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-23 05:40:46 +0000

    net-dns/bind-tools: add 9.16.33
    
    Bug: https://bugs.gentoo.org/872206
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/bind-tools/Manifest                  |   1 +
 net-dns/bind-tools/bind-tools-9.16.33.ebuild | 157 +++++++++++++++++++++++++++
 2 files changed, 158 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aa557c48ed05bf648c2b6bf2d3699527eff4f34

commit 9aa557c48ed05bf648c2b6bf2d3699527eff4f34
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-23 05:40:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-23 05:40:36 +0000

    net-dns/bind: add 9.16.33
    
    Bug: https://bugs.gentoo.org/872206
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/bind/Manifest            |   1 +
 net-dns/bind/bind-9.16.33.ebuild | 382 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 383 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 22:46:36 UTC
Please cleanup
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 01:33:35 UTC
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2022-10-31 01:21:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bdc575dae63f16d44b926f18271d15d3173fc5f

commit 8bdc575dae63f16d44b926f18271d15d3173fc5f
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-10-31 01:19:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:20:11 +0000

    net-dns/bind: security cleanup
    
    Bug: https://bugs.gentoo.org/820563
    Bug: https://bugs.gentoo.org/835439
    Bug: https://bugs.gentoo.org/872206
    Acked-by: Patrick McLean <chutzpah@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-dns/bind/Manifest                              |   5 -
 net-dns/bind/bind-9.16.27-r1.ebuild                | 375 --------------------
 net-dns/bind/bind-9.16.29-r1.ebuild                | 376 --------------------
 net-dns/bind/bind-9.16.29.ebuild                   | 375 --------------------
 net-dns/bind/bind-9.16.30.ebuild                   | 381 --------------------
 net-dns/bind/bind-9.16.31.ebuild                   | 382 ---------------------
 net-dns/bind/bind-9.16.32.ebuild                   | 382 ---------------------
 .../bind/files/bind-9.16.29-fortify-source-3.patch |  35 --
 8 files changed, 2311 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-10-31 01:41:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3ff54f9ebabdb1f657769518402d72abd34fbdcb

commit 3ff54f9ebabdb1f657769518402d72abd34fbdcb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:18:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:16 +0000

    [ GLSA 202210-25 ] ISC BIND: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/820563
    Bug: https://bugs.gentoo.org/835439
    Bug: https://bugs.gentoo.org/872206
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-25.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:23:56 UTC
GLSA released, all done!