ALT-BU-2024-3280-1
Branch c10f1 update bulletin.
Closed vulnerabilities
BDU:2023-06913
Уязвимость компонента InnoDB системы управления базами данных MySQL Server, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-22084
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
- https://lists.debian.org/debian-lts-announce/2024/01/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/01/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR7GNQAJZ7NMHT4HRDNROR3DS272KKET/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR7GNQAJZ7NMHT4HRDNROR3DS272KKET/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UCGSAQFWYIJRIYLZLHPS3MRUS4AQ5JQH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UCGSAQFWYIJRIYLZLHPS3MRUS4AQ5JQH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZL2AT2ZUKB6K22UTISHEZ4JKG4VZ3VO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZL2AT2ZUKB6K22UTISHEZ4JKG4VZ3VO/
- https://security.netapp.com/advisory/ntap-20231027-0009/
- https://security.netapp.com/advisory/ntap-20231027-0009/
- Oracle Advisory
- Oracle Advisory
Closed vulnerabilities
Modified: 2024-11-21
CVE-2024-22667
Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.
- https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt
- https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt
- https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
- https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
- FEDORA-2024-12513b5cee
- FEDORA-2024-12513b5cee
- FEDORA-2024-1c85d5b179
- FEDORA-2024-1c85d5b179
- https://security.netapp.com/advisory/ntap-20240223-0008/
- https://security.netapp.com/advisory/ntap-20240223-0008/
Closed bugs
incorrect output with -i flag
Closed vulnerabilities
BDU:2023-02265
Уязвимость DNS-сервера Dnsmasq. связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-01359
Уязвимость компонента DNSSEC реализации протокола DNS сервера DNS BIND, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-28450
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.
- https://capec.mitre.org/data/definitions/495.html
- FEDORA-2023-eeca11a4df
- FEDORA-2023-828bf01834
- https://thekelleys.org.uk/dnsmasq/doc.html
- https://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=blob%3Bf=CHANGELOG
- https://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
- https://capec.mitre.org/data/definitions/495.html
- https://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
- https://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=blob%3Bf=CHANGELOG
- https://thekelleys.org.uk/dnsmasq/doc.html
- FEDORA-2023-828bf01834
- FEDORA-2023-eeca11a4df
Modified: 2024-11-21
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- https://access.redhat.com/security/cve/CVE-2023-50387
- https://access.redhat.com/security/cve/CVE-2023-50387
- https://bugzilla.suse.com/show_bug.cgi?id=1219823
- https://bugzilla.suse.com/show_bug.cgi?id=1219823
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://kb.isc.org/docs/cve-2023-50387
- https://kb.isc.org/docs/cve-2023-50387
- [debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
- [debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
- [debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update
- [debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update
- FEDORA-2024-c967c7d287
- FEDORA-2024-c967c7d287
- FEDORA-2024-e24211eff0
- FEDORA-2024-e24211eff0
- FEDORA-2024-c36c448396
- FEDORA-2024-c36c448396
- FEDORA-2024-e00eceb11c
- FEDORA-2024-e00eceb11c
- FEDORA-2024-21310568fa
- FEDORA-2024-21310568fa
- FEDORA-2024-499b9be35f
- FEDORA-2024-499b9be35f
- FEDORA-2024-2e26eccfcb
- FEDORA-2024-2e26eccfcb
- FEDORA-2024-b0f9656a76
- FEDORA-2024-b0f9656a76
- FEDORA-2024-4e36df9dfd
- FEDORA-2024-4e36df9dfd
- FEDORA-2024-fae88b73eb
- FEDORA-2024-fae88b73eb
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
- https://news.ycombinator.com/item?id=39367411
- https://news.ycombinator.com/item?id=39367411
- https://news.ycombinator.com/item?id=39372384
- https://news.ycombinator.com/item?id=39372384
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://security.netapp.com/advisory/ntap-20240307-0007/
- https://security.netapp.com/advisory/ntap-20240307-0007/
- https://www.athene-center.de/aktuelles/key-trap
- https://www.athene-center.de/aktuelles/key-trap
- https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
- https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
- https://www.isc.org/blogs/2024-bind-security-release/
- https://www.isc.org/blogs/2024-bind-security-release/
- https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
- https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
- https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
- https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/