Debian Bug report logs -
#1052416
bind9: CVE-2023-3341
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 Sep 2023 17:27:02 UTC
Severity: grave
Tags: security, upstream
Found in versions bind9/1:9.18.16-1~deb12u1, bind9/1:9.16.37-1~deb11u1, bind9/1:9.18.16-1, bind9/1:9.16.42-1~deb11u1
Fixed in version bind9/1:9.19.17-1
Done: Ondřej Surý <ondrej@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>:
Bug#1052416; Package src:bind9.
(Thu, 21 Sep 2023 17:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>.
(Thu, 21 Sep 2023 17:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bind9
Version: 1:9.18.16-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:9.18.16-1~deb12u1
Control: found -1 1:9.16.42-1~deb11u1
Control: found -1 1:9.16.37-1~deb11u1
Hi,
The following vulnerability was published for bind9.
CVE-2023-3341[0]:
| The code that processes control channel messages sent to `named`
| calls certain functions recursively during packet parsing. Recursion
| depth is only limited by the maximum accepted packet size; depending
| on the environment, this may cause the packet-parsing code to run
| out of available stack memory, causing `named` to terminate
| unexpectedly. Since each incoming control channel message is fully
| parsed before its contents are authenticated, exploiting this flaw
| does not require the attacker to hold a valid RNDC key; only network
| access to the control channel's configured TCP port is necessary.
| This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0
| through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through
| 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-3341
https://www.cve.org/CVERecord?id=CVE-2023-3341
[1] https://kb.isc.org/docs/cve-2023-3341
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions bind9/1:9.18.16-1~deb12u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 21 Sep 2023 17:27:04 GMT) (full text, mbox, link).
Marked as found in versions bind9/1:9.16.42-1~deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 21 Sep 2023 17:27:05 GMT) (full text, mbox, link).
Marked as found in versions bind9/1:9.16.37-1~deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 21 Sep 2023 17:27:05 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Thu, 21 Sep 2023 18:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 21 Sep 2023 18:21:08 GMT) (full text, mbox, link).
Message #16 received at 1052416-close@bugs.debian.org (full text, mbox, reply):
Source: bind9
Source-Version: 1:9.19.17-1
Done: Ondřej Surý <ondrej@debian.org>
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1052416@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 20 Sep 2023 18:13:07 +0200
Source: bind9
Architecture: source
Version: 1:9.19.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 1052416 1052417
Changes:
bind9 (1:9.19.17-1) unstable; urgency=medium
.
* New upstream version 9.19.17
- CVE-2023-3341: A stack exhaustion flaw in control channel code may
cause named to terminate unexpectedly (Closes: #1052416)
- CVE-2023-4236: named may terminate unexpectedly under high
DNS-over-TLS query load (Closes: #1052417)
Checksums-Sha1:
9420e1389ac7a41fb993681aabdffe081c7493ec 3294 bind9_9.19.17-1.dsc
c867148749eef06b0501462203d91bf0b64175ff 5644580 bind9_9.19.17.orig.tar.xz
d2a7c9dbe011f401daf192cc379e4afa3c22683d 833 bind9_9.19.17.orig.tar.xz.asc
1fe69f2ad652ad3510b551f0f67c58b6a173bad3 58768 bind9_9.19.17-1.debian.tar.xz
22799d90575d3e91dd7bf1a7f61b90020d03b02f 15417 bind9_9.19.17-1_amd64.buildinfo
Checksums-Sha256:
3eebd753ba99f960386bb89b713f5fade678262ee97d934acebb0cbbd7b3d68f 3294 bind9_9.19.17-1.dsc
d86460943ababf8fb91cb20c2807efb30c2014ba6d8b5c690ad889e328655363 5644580 bind9_9.19.17.orig.tar.xz
a4a5db0fd558f4dfe9fdedd5bef851010fa5e446def5e0d14976869683982d0f 833 bind9_9.19.17.orig.tar.xz.asc
3ea74154c695d78992f941ff0069d56a0530ba9b429b5b1afcfa00fc53e76e2c 58768 bind9_9.19.17-1.debian.tar.xz
e492e18ca459ade8d85fbf1ed0e3a611db35e02545f22a2d27720598f5509b65 15417 bind9_9.19.17-1_amd64.buildinfo
Files:
c7a3671b65a2eaccab327a5dc96cb795 3294 net optional bind9_9.19.17-1.dsc
534c24d4bc2de30adc62ef7612cd3dde 5644580 net optional bind9_9.19.17.orig.tar.xz
b739c3c0258ba15f226915481c0e36dd 833 net optional bind9_9.19.17.orig.tar.xz.asc
548011800fa7daf557cc91d3963d79a8 58768 net optional bind9_9.19.17-1.debian.tar.xz
98329a37818157b9a8c661987818b59d 15417 net optional bind9_9.19.17-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmUMhmVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcJPHA/+OVeA8xdC9t/jKRa0bvkGDcweEK+3nuLbYAij/lIUaZfrzrHdLZXzzaot
l9GuIFW33ANPvlxL0QG93X9ymgs80r/ukO/BZNnPGRah6AhhtCo7MR7OEphtW2qd
fa9pROcf96gMax48s6TgmDiymE+6s5WGuLciB5dWmmar+2QAfonA0Wf5tYJF+DO9
Juaqq/FJoOrC3v0AmVI6Un8oCvwz1q5jwZj57CqIgfZu+r0knTu6O4yquBNhE6aG
vDsHdmm8TOFl/pz4ywBr62t2bf32M3Wgipb3OWMBoq50wu4CXOOg3HwgYsQ3SCN3
+nI83HeCa4kljWBDy3QnkAJMSptiZ0pd76dKez7U1fWoAZEj5OqecV/kESxYJlwM
T3c2pzAVXo7LTdHaTdVF+975qjBgQ+poTTLCOjA0U02XekPKOYZDNVIJpbpXLhXf
wphLlm//ssXihC0E3iOe0S6bEJ5Xj2NM3qt83Sa7GxU+QEYnaDf4XSksi1Wl3tgM
S1xOrMo1egMA5a4Qy9peMmS534djnVgpJmUCeDwUgaQoGeNTRqXAiel+FPQmXc0H
qudaQDbLLbo/xCuMLwwOicPXoZDeECMhyqa9JOndaLzgN/WVTxNMh4Vf/X0wYvLw
JJZgKEqrm6aFZ1KA0tzcyNcJFoQakJnVt3et0+Ygq2c2wmiE6r0=
=a3WO
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Sep 22 17:52:57 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon