Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

bind9: CVE-2023-4236

Related Vulnerabilities: CVE-2023-4236   cve-2023-4236   CVE-2023-3341  

Source

Debian Bug report logs - #1052417
bind9: CVE-2023-4236

version graph

Package: src:bind9; Maintainer for src:bind9 is Debian DNS Team <team+dns@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 21 Sep 2023 17:27:06 UTC

Severity: grave

Tags: security, upstream

Found in versions bind9/1:9.18.16-1, bind9/1:9.18.16-1~deb12u1

Fixed in version bind9/1:9.19.17-1

Done: Ondřej Surý <ondrej@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>:
Bug#1052417; Package src:bind9. (Thu, 21 Sep 2023 17:27:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>. (Thu, 21 Sep 2023 17:27:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bind9: CVE-2023-4236
Date: Thu, 21 Sep 2023 19:23:53 +0200
Source: bind9
Version: 1:9.18.16-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:9.18.16-1~deb12u1

Hi,

The following vulnerability was published for bind9.

CVE-2023-4236[0]:
| A flaw in the networking code handling DNS-over-TLS queries may
| cause `named` to terminate unexpectedly due to an assertion failure.
| This happens when internal data structures are incorrectly reused
| under significant DNS-over-TLS query load. This issue affects BIND 9
| versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-4236
    https://www.cve.org/CVERecord?id=CVE-2023-4236
[1] https://kb.isc.org/docs/cve-2023-4236

Regards,
Salvtore

Marked as found in versions bind9/1:9.18.16-1~deb12u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 21 Sep 2023 17:27:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DNS Team <team+dns@tracker.debian.org>:
Bug#1052417; Package src:bind9. (Thu, 21 Sep 2023 17:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian DNS Team <team+dns@tracker.debian.org>. (Thu, 21 Sep 2023 17:39:07 GMT) (full text, mbox, link).

Message #12 received at 1052417@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 1052417@bugs.debian.org
Subject: Re: Bug#1052417: bind9: CVE-2023-4236
Date: Thu, 21 Sep 2023 19:37:45 +0200
Thanks for the nudge.  I must be tired or something as I totally forgot about updating
the versions in upstream Debian. I'm working on it right now.

Ondrej
--
Ondřej Surý (He/Him)
ondrej@sury.org

> On 21. 9. 2023, at 19:23, Salvatore Bonaccorso <carnil@debian.org> wrote:
> 
> Source: bind9
> Version: 1:9.18.16-1
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 1:9.18.16-1~deb12u1
> 
> Hi,
> 
> The following vulnerability was published for bind9.
> 
> CVE-2023-4236[0]:
> | A flaw in the networking code handling DNS-over-TLS queries may
> | cause `named` to terminate unexpectedly due to an assertion failure.
> | This happens when internal data structures are incorrectly reused
> | under significant DNS-over-TLS query load. This issue affects BIND 9
> | versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2023-4236
>    https://www.cve.org/CVERecord?id=CVE-2023-4236
> [1] https://kb.isc.org/docs/cve-2023-4236
> 
> Regards,
> Salvtore
>

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Thu, 21 Sep 2023 18:21:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 21 Sep 2023 18:21:10 GMT) (full text, mbox, link).

Message #17 received at 1052417-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1052417-close@bugs.debian.org
Subject: Bug#1052417: fixed in bind9 1:9.19.17-1
Date: Thu, 21 Sep 2023 18:19:33 +0000
Source: bind9
Source-Version: 1:9.19.17-1
Done: Ondřej Surý <ondrej@debian.org>

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1052417@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 Sep 2023 18:13:07 +0200
Source: bind9
Architecture: source
Version: 1:9.19.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 1052416 1052417
Changes:
 bind9 (1:9.19.17-1) unstable; urgency=medium
 .
   * New upstream version 9.19.17
    - CVE-2023-3341: A stack exhaustion flaw in control channel code may
      cause named to terminate unexpectedly (Closes: #1052416)
    - CVE-2023-4236: named may terminate unexpectedly under high
      DNS-over-TLS query load (Closes: #1052417)
Checksums-Sha1:
 9420e1389ac7a41fb993681aabdffe081c7493ec 3294 bind9_9.19.17-1.dsc
 c867148749eef06b0501462203d91bf0b64175ff 5644580 bind9_9.19.17.orig.tar.xz
 d2a7c9dbe011f401daf192cc379e4afa3c22683d 833 bind9_9.19.17.orig.tar.xz.asc
 1fe69f2ad652ad3510b551f0f67c58b6a173bad3 58768 bind9_9.19.17-1.debian.tar.xz
 22799d90575d3e91dd7bf1a7f61b90020d03b02f 15417 bind9_9.19.17-1_amd64.buildinfo
Checksums-Sha256:
 3eebd753ba99f960386bb89b713f5fade678262ee97d934acebb0cbbd7b3d68f 3294 bind9_9.19.17-1.dsc
 d86460943ababf8fb91cb20c2807efb30c2014ba6d8b5c690ad889e328655363 5644580 bind9_9.19.17.orig.tar.xz
 a4a5db0fd558f4dfe9fdedd5bef851010fa5e446def5e0d14976869683982d0f 833 bind9_9.19.17.orig.tar.xz.asc
 3ea74154c695d78992f941ff0069d56a0530ba9b429b5b1afcfa00fc53e76e2c 58768 bind9_9.19.17-1.debian.tar.xz
 e492e18ca459ade8d85fbf1ed0e3a611db35e02545f22a2d27720598f5509b65 15417 bind9_9.19.17-1_amd64.buildinfo
Files:
 c7a3671b65a2eaccab327a5dc96cb795 3294 net optional bind9_9.19.17-1.dsc
 534c24d4bc2de30adc62ef7612cd3dde 5644580 net optional bind9_9.19.17.orig.tar.xz
 b739c3c0258ba15f226915481c0e36dd 833 net optional bind9_9.19.17.orig.tar.xz.asc
 548011800fa7daf557cc91d3963d79a8 58768 net optional bind9_9.19.17-1.debian.tar.xz
 98329a37818157b9a8c661987818b59d 15417 net optional bind9_9.19.17-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmUMhmVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcJPHA/+OVeA8xdC9t/jKRa0bvkGDcweEK+3nuLbYAij/lIUaZfrzrHdLZXzzaot
l9GuIFW33ANPvlxL0QG93X9ymgs80r/ukO/BZNnPGRah6AhhtCo7MR7OEphtW2qd
fa9pROcf96gMax48s6TgmDiymE+6s5WGuLciB5dWmmar+2QAfonA0Wf5tYJF+DO9
Juaqq/FJoOrC3v0AmVI6Un8oCvwz1q5jwZj57CqIgfZu+r0knTu6O4yquBNhE6aG
vDsHdmm8TOFl/pz4ywBr62t2bf32M3Wgipb3OWMBoq50wu4CXOOg3HwgYsQ3SCN3
+nI83HeCa4kljWBDy3QnkAJMSptiZ0pd76dKez7U1fWoAZEj5OqecV/kESxYJlwM
T3c2pzAVXo7LTdHaTdVF+975qjBgQ+poTTLCOjA0U02XekPKOYZDNVIJpbpXLhXf
wphLlm//ssXihC0E3iOe0S6bEJ5Xj2NM3qt83Sa7GxU+QEYnaDf4XSksi1Wl3tgM
S1xOrMo1egMA5a4Qy9peMmS534djnVgpJmUCeDwUgaQoGeNTRqXAiel+FPQmXc0H
qudaQDbLLbo/xCuMLwwOicPXoZDeECMhyqa9JOndaLzgN/WVTxNMh4Vf/X0wYvLw
JJZgKEqrm6aFZ1KA0tzcyNcJFoQakJnVt3et0+Ygq2c2wmiE6r0=
=a3WO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Sep 22 17:53:01 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started