oss-sec mailing list archives
ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924)
From: Michał Kępień <michal () isc org>
Date: Wed, 25 Jan 2023 18:05:43 +0100
On 25 January 2023 we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software: - CVE-2022-3094: An UPDATE message flood may cause named to exhaust all available memory https://kb.isc.org/docs/cve-2022-3094 - CVE-2022-3736: named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries https://kb.isc.org/docs/cve-2022-3736 - CVE-2022-3924: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota https://kb.isc.org/docs/cve-2022-3924 New versions of BIND 9 are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of each published release directory: - https://downloads.isc.org/isc/bind9/9.16.37/patches/ - https://downloads.isc.org/isc/bind9/9.18.11/patches/ - https://downloads.isc.org/isc/bind9/9.19.9/patches/ With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released. -- Best regards, Michał Kępień
Current thread:
- ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924) Michał Kępień (Jan 25)