An update for bind is now available for openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1982 Final 1.0 1.0 2022-10-14 Initial 2022-10-14 2022-10-14 openEuler SA Tool V1.0 2022-10-14 bind security update An update for bind is now available for openEuler-20.03-LTS-SP3. BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. Security Fix(es): By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38177) By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38178) By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.(CVE-2022-2795) The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.(CVE-2022-2881) An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.(CVE-2022-2906) An update for bind is now available for openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High bind https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1982 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38177 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38178 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2795 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2881 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2906 https://nvd.nist.gov/vuln/detail/CVE-2022-38177 https://nvd.nist.gov/vuln/detail/CVE-2022-38178 https://nvd.nist.gov/vuln/detail/CVE-2022-2795 https://nvd.nist.gov/vuln/detail/CVE-2022-2881 https://nvd.nist.gov/vuln/detail/CVE-2022-2906 openEuler-20.03-LTS-SP3 bind-utils-9.11.21-14.oe1.aarch64.rpm bind-libs-9.11.21-14.oe1.aarch64.rpm bind-debuginfo-9.11.21-14.oe1.aarch64.rpm bind-pkcs11-9.11.21-14.oe1.aarch64.rpm bind-export-libs-9.11.21-14.oe1.aarch64.rpm bind-pkcs11-devel-9.11.21-14.oe1.aarch64.rpm bind-9.11.21-14.oe1.aarch64.rpm bind-devel-9.11.21-14.oe1.aarch64.rpm bind-chroot-9.11.21-14.oe1.aarch64.rpm bind-libs-lite-9.11.21-14.oe1.aarch64.rpm bind-export-devel-9.11.21-14.oe1.aarch64.rpm bind-debugsource-9.11.21-14.oe1.aarch64.rpm python3-bind-9.11.21-14.oe1.noarch.rpm bind-9.11.21-14.oe1.src.rpm bind-export-devel-9.11.21-14.oe1.x86_64.rpm bind-utils-9.11.21-14.oe1.x86_64.rpm bind-export-libs-9.11.21-14.oe1.x86_64.rpm bind-debugsource-9.11.21-14.oe1.x86_64.rpm bind-pkcs11-9.11.21-14.oe1.x86_64.rpm bind-libs-lite-9.11.21-14.oe1.x86_64.rpm bind-chroot-9.11.21-14.oe1.x86_64.rpm bind-libs-9.11.21-14.oe1.x86_64.rpm bind-pkcs11-devel-9.11.21-14.oe1.x86_64.rpm bind-debuginfo-9.11.21-14.oe1.x86_64.rpm bind-devel-9.11.21-14.oe1.x86_64.rpm bind-9.11.21-14.oe1.x86_64.rpm By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. 2022-10-14 CVE-2022-38177 openEuler-20.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H bind security update 2022-10-14 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1982 By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. 2022-10-14 CVE-2022-38178 openEuler-20.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H bind security update 2022-10-14 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1982 By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver s performance, effectively denying legitimate clients access to the DNS resolution service. 2022-10-14 CVE-2022-2795 openEuler-20.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H bind security update 2022-10-14 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1982 The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. 2022-10-14 CVE-2022-2881 openEuler-20.03-LTS-SP3 High 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H bind security update 2022-10-14 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1982 An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. 2022-10-14 CVE-2022-2906 openEuler-20.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H bind security update 2022-10-14 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1982