Updated bind packages fix security vulnerability
Publication date: 23 Oct 2022Modification date: 23 Oct 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-2795 , CVE-2022-38177 , CVE-2022-38178
Description
By flooding the target resolver with queries exploiting this flaw an
attacker can significantly impair the resolver's performance,
effectively denying legitimate clients access to the DNS resolution
service. (CVE-2022-2795)
By spoofing the target resolver with responses that have a malformed ECDSA
signature, an attacker can trigger a small memory leak. It is possible to
gradually erode available memory to the point where named crashes for lack
of resources. (CVE-2022-38177, CVE-2022-38178)
References
- https://bugs.mageia.org/show_bug.cgi?id=30877
- https://kb.isc.org/docs/cve-2022-2795
- https://kb.isc.org/docs/cve-2022-38177
- https://kb.isc.org/docs/cve-2022-38178
- https://ubuntu.com/security/notices/USN-5626-1
- https://www.debian.org/lts/security/2022/dla-3138
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38177
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38178
SRPMS
8/core
- bind-9.11.37-1.1.mga8