Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2023-0303)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2023.0303

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2023-0303)

Resumen: The remote host is missing an update for the 'bind' package(s) announced via the MGASA-2023-0303 advisory.

Descripción: Summary:
The remote host is missing an update for the 'bind' package(s) announced via the MGASA-2023-0303 advisory.

Vulnerability Insight:
The code that processes control channel messages sent to `named` calls
certain functions recursively during packet parsing. Recursion depth is
only limited by the maximum accepted packet size, depending on the
environment, this may cause the packet-parsing code to run out of
available stack memory, causing `named` to terminate unexpectedly. Since
each incoming control channel message is fully parsed before its
contents are authenticated, exploiting this flaw does not require the
attacker to hold a valid RNDC key, only network access to the control
channel's configured TCP port is necessary. (CVE-2023-3341)

A flaw in the networking code handling DNS-over-TLS queries may cause
`named` to terminate unexpectedly due to an assertion failure. This
happens when internal data structures are incorrectly reused under
significant DNS-over-TLS query load. (CVE-2023-4236)

Affected Software/OS:
'bind' package(s) on Mageia 9.

Solution:
Please install the updated package(s).

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2023-3341
Debian Security Information: DSA-5504 (Google Search)
https://www.debian.org/security/2023/dsa-5504
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/
CVE-2023-3341
https://kb.isc.org/docs/cve-2023-3341
https://lists.debian.org/debian-lts-announce/2024/01/msg00021.html
http://www.openwall.com/lists/oss-security/2023/09/20/2
Common Vulnerability Exposure (CVE) ID: CVE-2023-4236
CVE-2023-4236
https://kb.isc.org/docs/cve-2023-4236

Copyright Copyright (C) 2023 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2023.0303
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2023-0303)
Resumen:	The remote host is missing an update for the 'bind' package(s) announced via the MGASA-2023-0303 advisory.
Descripción:	Summary: The remote host is missing an update for the 'bind' package(s) announced via the MGASA-2023-0303 advisory. Vulnerability Insight: The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size, depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key, only network access to the control channel's configured TCP port is necessary. (CVE-2023-3341) A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. (CVE-2023-4236) Affected Software/OS: 'bind' package(s) on Mageia 9. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2023-3341 Debian Security Information: DSA-5504 (Google Search) https://www.debian.org/security/2023/dsa-5504 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/ CVE-2023-3341 https://kb.isc.org/docs/cve-2023-3341 https://lists.debian.org/debian-lts-announce/2024/01/msg00021.html http://www.openwall.com/lists/oss-security/2023/09/20/2 Common Vulnerability Exposure (CVE) ID: CVE-2023-4236 CVE-2023-4236 https://kb.isc.org/docs/cve-2023-4236
Copyright	Copyright (C) 2023 Greenbone AG