ALT-PU-2024-6993-1
Closed vulnerabilities
BDU:2024-01359
Уязвимость компонента DNSSEC реализации протокола DNS сервера DNS BIND, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-01462
Уязвимость компонента DNSSEC реализации протокола DNS сервера DNS BIND, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-01923
Уязвимость DNS-сервера Unbound, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- https://access.redhat.com/security/cve/CVE-2023-50387
- https://access.redhat.com/security/cve/CVE-2023-50387
- https://bugzilla.suse.com/show_bug.cgi?id=1219823
- https://bugzilla.suse.com/show_bug.cgi?id=1219823
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://kb.isc.org/docs/cve-2023-50387
- https://kb.isc.org/docs/cve-2023-50387
- [debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
- [debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
- [debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update
- [debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update
- FEDORA-2024-c967c7d287
- FEDORA-2024-c967c7d287
- FEDORA-2024-e24211eff0
- FEDORA-2024-e24211eff0
- FEDORA-2024-c36c448396
- FEDORA-2024-c36c448396
- FEDORA-2024-e00eceb11c
- FEDORA-2024-e00eceb11c
- FEDORA-2024-21310568fa
- FEDORA-2024-21310568fa
- FEDORA-2024-499b9be35f
- FEDORA-2024-499b9be35f
- FEDORA-2024-2e26eccfcb
- FEDORA-2024-2e26eccfcb
- FEDORA-2024-b0f9656a76
- FEDORA-2024-b0f9656a76
- FEDORA-2024-4e36df9dfd
- FEDORA-2024-4e36df9dfd
- FEDORA-2024-fae88b73eb
- FEDORA-2024-fae88b73eb
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
- https://news.ycombinator.com/item?id=39367411
- https://news.ycombinator.com/item?id=39367411
- https://news.ycombinator.com/item?id=39372384
- https://news.ycombinator.com/item?id=39372384
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://security.netapp.com/advisory/ntap-20240307-0007/
- https://security.netapp.com/advisory/ntap-20240307-0007/
- https://www.athene-center.de/aktuelles/key-trap
- https://www.athene-center.de/aktuelles/key-trap
- https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
- https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
- https://www.isc.org/blogs/2024-bind-security-release/
- https://www.isc.org/blogs/2024-bind-security-release/
- https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
- https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
- https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
- https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
Modified: 2024-11-21
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- [oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
- https://access.redhat.com/security/cve/CVE-2023-50868
- https://access.redhat.com/security/cve/CVE-2023-50868
- https://bugzilla.suse.com/show_bug.cgi?id=1219826
- https://bugzilla.suse.com/show_bug.cgi?id=1219826
- https://datatracker.ietf.org/doc/html/rfc5155
- https://datatracker.ietf.org/doc/html/rfc5155
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
- https://kb.isc.org/docs/cve-2023-50868
- https://kb.isc.org/docs/cve-2023-50868
- [debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
- [debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update
- [debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update
- [debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update
- FEDORA-2024-c967c7d287
- FEDORA-2024-c967c7d287
- FEDORA-2024-e24211eff0
- FEDORA-2024-e24211eff0
- FEDORA-2024-c36c448396
- FEDORA-2024-c36c448396
- FEDORA-2024-e00eceb11c
- FEDORA-2024-e00eceb11c
- FEDORA-2024-21310568fa
- FEDORA-2024-21310568fa
- FEDORA-2024-499b9be35f
- FEDORA-2024-499b9be35f
- FEDORA-2024-2e26eccfcb
- FEDORA-2024-2e26eccfcb
- FEDORA-2024-b0f9656a76
- FEDORA-2024-b0f9656a76
- FEDORA-2024-4e36df9dfd
- FEDORA-2024-4e36df9dfd
- FEDORA-2024-fae88b73eb
- FEDORA-2024-fae88b73eb
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
- https://security.netapp.com/advisory/ntap-20240307-0008/
- https://security.netapp.com/advisory/ntap-20240307-0008/
- https://www.isc.org/blogs/2024-bind-security-release/
- https://www.isc.org/blogs/2024-bind-security-release/
Modified: 2024-12-17
CVE-2024-1931
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VCBRQ7KMSIGBQ6A4SBL5PF326DIJIIV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VCBRQ7KMSIGBQ6A4SBL5PF326DIJIIV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2JUIFPA7H75Q2W3VXW2TUNHK6NVGOX4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2JUIFPA7H75Q2W3VXW2TUNHK6NVGOX4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBR4H7RCVMJ6H76S4LLRSY5EBFTYWGXK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBR4H7RCVMJ6H76S4LLRSY5EBFTYWGXK/
- https://lists.freebsd.org/archives/freebsd-security/2024-July/000283.html
- https://lists.freebsd.org/archives/freebsd-security/2024-July/000283.html
- https://security.netapp.com/advisory/ntap-20240705-0006/
- https://security.netapp.com/advisory/ntap-20240705-0006/
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt
Closed bugs
Просьба обновить до версии 1.19.1.