[SECURITY-L] [oss-security] ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)

CSIRT Unicamp security em unicamp.br
Quinta Setembro 22 08:47:25 -03 2022 

On 21 September 2022 we (Internet Systems Consortium) disclosed six
vulnerabilities affecting our BIND 9 software:

- CVE-2022-2795:        Processing large delegations may severely degrade
resolver performance https://kb.isc.org/docs/cve-2022-2795
- CVE-2022-2881:        Buffer overread in statistics channel code
https://kb.isc.org/docs/cve-2022-2881
- CVE-2022-2906:        Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs (OpenSSL 3.0.0+ only)
https://kb.isc.org/docs/cve-2022-2906
- CVE-2022-3080:        BIND 9 resolvers configured to answer from stale
cache with zero stale-answer-client-timeout may terminate unexpectedly
https://kb.isc.org/docs/cve-2022-3080
- CVE-2022-38177:       Memory leak in ECDSA DNSSEC verification code
https://kb.isc.org/docs/cve-2022-38177
- CVE-2022-38178:       Memory leaks in EdDSA DNSSEC verification code
https://kb.isc.org/docs/cve-2022-38178

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively
can find individual vulnerability-specific patches in the "patches"
subdirectory of the release directories for our stable release branches
(9.16 and 9.18):

- https://downloads.isc.org/isc/bind9/9.16.33/patches/
- https://downloads.isc.org/isc/bind9/9.18.7/patches/

With the public announcement of these vulnerabilities, the embargo period
is ended and any updated software packages that have been prepared may be
released.

--
Best regards,
Michał Kępień
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20220922/e0aa65d0/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L