Source: bind9 Version: 1:9.20.4-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:9.18.28-1~deb12u2 Control: fixed -1 1:9.18.33-1~deb12u2
Hi, The following vulnerabilities were published for bind9. CVE-2024-11187[0]: | It is possible to construct a zone such that some queries to it will | generate responses containing numerous records in the Additional | section. An attacker sending many such queries can cause either the | authoritative server itself or an independent resolver to use | disproportionate resources processing the queries. Zones will | usually need to have been deliberately crafted to attack this | exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, | 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through | 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, | 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. CVE-2024-12705[1]: | Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU | and/or memory by flooding it with crafted valid or invalid HTTP/2 | traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, | 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through | 9.18.32-S1. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-11187 https://www.cve.org/CVERecord?id=CVE-2024-11187 https://kb.isc.org/docs/cve-2024-11187 [1] https://security-tracker.debian.org/tracker/CVE-2024-12705 https://www.cve.org/CVERecord?id=CVE-2024-12705 https://kb.isc.org/docs/cve-2024-12705 Regards, Salvatore
