jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1983.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

295 lines
16 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for bind is now available for openEuler-22.03-LTS</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1983</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-10-14</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-10-14</InitialReleaseDate>
<CurrentReleaseDate>2022-10-14</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-10-14</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">bind security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for bind is now available for openEuler-22.03-LTS.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Security Fix(es):
By sending specific queries to the resolver, an attacker can cause named to crash.(CVE-2022-3080)
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38177)
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38178)
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver&apos;s performance, effectively denying legitimate clients access to the DNS resolution service.(CVE-2022-2795)
The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.(CVE-2022-2881)
An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.(CVE-2022-2906)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for bind is now available for openEuler-22.03-LTS.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">bind</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1983</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3080</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38177</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38178</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2795</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2881</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2906</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-3080</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-38177</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-38178</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-2795</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-2881</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-2906</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="bind-chroot-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-chroot-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-libs-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-libs-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-pkcs11-libs-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-libs-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-dnssec-utils-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-dnssec-utils-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-devel-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-devel-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-debugsource-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-debugsource-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-pkcs11-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-pkcs11-utils-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-utils-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-pkcs11-devel-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-devel-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-utils-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-utils-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="bind-debuginfo-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-debuginfo-9.16.23-11.oe2203.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="python3-bind-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">python3-bind-9.16.23-11.oe2203.noarch.rpm</FullProductName>
<FullProductName ProductID="bind-dnssec-doc-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-dnssec-doc-9.16.23-11.oe2203.noarch.rpm</FullProductName>
<FullProductName ProductID="bind-license-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-license-9.16.23-11.oe2203.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="bind-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-9.16.23-11.oe2203.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="bind-pkcs11-devel-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-devel-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-devel-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-devel-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-utils-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-utils-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-libs-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-libs-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-chroot-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-chroot-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-debugsource-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-debugsource-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-pkcs11-utils-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-utils-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-dnssec-utils-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-dnssec-utils-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-pkcs11-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-debuginfo-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-debuginfo-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="bind-pkcs11-libs-9.16.23-11" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">bind-pkcs11-libs-9.16.23-11.oe2203.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">By sending specific queries to the resolver, an attacker can cause named to crash.</Note>
</Notes>
<ReleaseDate>2022-10-14</ReleaseDate>
<CVE>CVE-2022-3080</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>bind security update</Description>
<DATE>2022-10-14</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1983</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.</Note>
</Notes>
<ReleaseDate>2022-10-14</ReleaseDate>
<CVE>CVE-2022-38177</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>bind security update</Description>
<DATE>2022-10-14</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1983</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.</Note>
</Notes>
<ReleaseDate>2022-10-14</ReleaseDate>
<CVE>CVE-2022-38178</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>bind security update</Description>
<DATE>2022-10-14</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1983</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver s performance, effectively denying legitimate clients access to the DNS resolution service.</Note>
</Notes>
<ReleaseDate>2022-10-14</ReleaseDate>
<CVE>CVE-2022-2795</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>bind security update</Description>
<DATE>2022-10-14</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1983</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="5" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="5" xml:lang="en">The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.</Note>
</Notes>
<ReleaseDate>2022-10-14</ReleaseDate>
<CVE>CVE-2022-2881</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>8.2</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>bind security update</Description>
<DATE>2022-10-14</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1983</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="6" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="6" xml:lang="en">An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.</Note>
</Notes>
<ReleaseDate>2022-10-14</ReleaseDate>
<CVE>CVE-2022-2906</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>bind security update</Description>
<DATE>2022-10-14</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1983</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink