Bugzilla – Bug 1219823
VUL-0: CVE-2023-50387 : unbound, pdns, bind, dnsmasq: Denial Of Service while trying to validate specially crafted DNSSEC responses
Last modified: 2024-06-17 08:30:33 UTC
bind versions prior 9.11.37 look affected too. With this we have all unbound and bind versions affected: - SUSE:ALP:Source:Standard:1.0/bind - SUSE:SLE-11-SP2:Update/bind - SUSE:SLE-12-SP1:Update/bind - SUSE:SLE-12-SP4:Update/bind - SUSE:SLE-15-SP3:Update/bind - SUSE:SLE-15-SP4:Update/bind - SUSE:SLE-15-SP5:Update/bind - SUSE:SLE-15:Update/bind - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/bind - SUSE:ALP:Source:Standard:1.0/unbound - SUSE:SLE-15-SP1:Update/unbound - SUSE:SLE-15:Update/unbound
https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#security-fixes
This is an autogenerated message for OBS integration: This bug (1219823) was mentioned in https://build.opensuse.org/request/show/1146434 Factory / pdns-recursor https://build.opensuse.org/request/show/1146435 Backports:SLE-15-SP6 / pdns-recursor https://build.opensuse.org/request/show/1146439 Backports:SLE-15-SP5 / pdns-recursor
This is an autogenerated message for OBS integration: This bug (1219823) was mentioned in https://build.opensuse.org/request/show/1146454 Factory / bind
(In reply to Thomas Leroy from comment #7) > bind versions prior 9.11.37 look affected too. > With this we have all unbound and bind versions affected: > > - SUSE:ALP:Source:Standard:1.0/bind > - SUSE:SLE-11-SP2:Update/bind > - SUSE:SLE-12-SP1:Update/bind > - SUSE:SLE-12-SP4:Update/bind > - SUSE:SLE-15-SP3:Update/bind > - SUSE:SLE-15-SP4:Update/bind > - SUSE:SLE-15-SP5:Update/bind > - SUSE:SLE-15:Update/bind > - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/bind > > - SUSE:ALP:Source:Standard:1.0/unbound > - SUSE:SLE-15-SP1:Update/unbound > - SUSE:SLE-15:Update/unbound Please also consider SUSE:SLE-15-SP6:GA
dnsmasq also affected: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
openSUSE-SU-2024:0048-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1209897,1219823,1219826 CVE References: CVE-2023-26437,CVE-2023-50387,CVE-2023-50868 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): pdns-recursor-4.8.6-bp155.2.3.1
All dnsmasq codestreams look affected too: - SUSE:ALP:Source:Standard:1.0 - SUSE:SLE-11-SP4:Update - SUSE:SLE-12-SP1:Update - SUSE:SLE-15-SP1:Update - SUSE:SLE-15-SP4:Update - SUSE:SLE-15:Update - openSUSE:Factory
SUSE-SU-2024:0574-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1219823, 1219826, 1219851, 1219852, 1219853, 1219854 CVE References: CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516 Sources used: openSUSE Leap 15.5 (src): bind-9.16.48-150500.8.16.1 Basesystem Module 15-SP5 (src): bind-9.16.48-150500.8.16.1 Server Applications Module 15-SP5 (src): bind-9.16.48-150500.8.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0590-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1219823, 1219826, 1219851, 1219852, 1219853, 1219854 CVE References: CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516 Sources used: openSUSE Leap 15.4 (src): bind-9.16.48-150400.5.40.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): bind-9.16.48-150400.5.40.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): bind-9.16.48-150400.5.40.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): bind-9.16.48-150400.5.40.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): bind-9.16.48-150400.5.40.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): bind-9.16.48-150400.5.40.1 SUSE Manager Proxy 4.3 (src): bind-9.16.48-150400.5.40.1 SUSE Manager Retail Branch Server 4.3 (src): bind-9.16.48-150400.5.40.1 SUSE Manager Server 4.3 (src): bind-9.16.48-150400.5.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
For dnsmasq I would definitely favor upgrading for SLE-15 where we are closer to Factory already. Upstream also suggests that trying to backport the complex patch. For SLE-12 I had in mind from a previous attempt to upgrade to a newer version, that some libraries might be missing or too old for recent versions dnsmasq, but when I just checked this again, I found that they now seem to be good enough. But for SLE-12 we also need to decide if we can accept the list of backwards incompatible changes (all related to DNSSEC) that the upgrade brings and which I already collected three years ago when we decided to upgrade SLE-15, but not SLE-12, to 2.85: https://jira.suse.com/browse/PM-2387 Marcus, what do you think, as you were involved in the decisions back then?
Sorry, I hit the send button to early. Meant to say: "Upstream also suggests that upgrading should be favored over trying to backport the complex patch."
I just noticed that dnsmasq on SLE-12 was compiled without DNSSEC support¹ and hence does not need these fixes. ¹) The output of "dnsmasq -v" contains the "no-DNSSEC" flag.
dnsmasq I would try a versuion update for both. We might need an ECO for SLE12 ... Can you propose which codestream would go from which to whicch version?
- SUSE:SLE-15-SP3:Update - SUSE:SLE-15:Update still needs submits.
I find it very confusing that different packages that don't even share the same affected code are handled with a single bug report here. Wouldn't it have been better to clone the bug to have one per affected package? (In reply to Alexander Bergmann from comment #26) > - SUSE:SLE-15-SP3:Update > - SUSE:SLE-15:Update > > still needs submits. For which package? (In reply to Marcus Meissner from comment #25) > dnsmasq I would try a versuion update for both. > > We might need an ECO for SLE12 ... dnsmasq is compiled without DNSSEC support on SLE12, according to: --- snip --- # dnsmasq -v Dnsmasq Version 2.78 Copyright (c) 2000-2017 Simon Kelley Compile time options: [...] no-DNSSEC [...] --- snap --- I guess this happened by accident, because the spec file intends to enable it. But given that nobody complained about it so far, I'd suggest that we leave it as it is.
This is an autogenerated message for OBS integration: This bug (1219823) was mentioned in https://build.opensuse.org/request/show/1177373 Backports:SLE-12-SP4 / pdns-recursor
SUSE-SU-2024:1894-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1219823, 1219826, 1219851 CVE References: CVE-2023-4408, CVE-2023-50387, CVE-2023-50868 Maintenance Incident: [SUSE:Maintenance:34020](https://smelt.suse.de/incident/34020/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): bind-9.11.22-3.52.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): bind-9.11.22-3.52.1 SUSE Linux Enterprise Server 12 SP5 (src): bind-9.11.22-3.52.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): bind-9.11.22-3.52.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1923-1: An update that solves five vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1202031, 1202033, 1203643, 1219823, 1219826 CVE References: CVE-2022-30698, CVE-2022-30699, CVE-2022-3204, CVE-2023-50387, CVE-2023-50868 Jira References: PED-8333 Maintenance Incident: [SUSE:Maintenance:34099](https://smelt.suse.de/incident/34099/) Sources used: openSUSE Leap 15.6 (src): unbound-1.20.0-150600.23.3.1, libunbound-devel-mini-1.20.0-150600.23.3.1 Basesystem Module 15-SP6 (src): unbound-1.20.0-150600.23.3.1 SUSE Package Hub 15 15-SP6 (src): unbound-1.20.0-150600.23.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1991-1: An update that solves five vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1202031, 1202033, 1203643, 1219823, 1219826 CVE References: CVE-2022-30698, CVE-2022-30699, CVE-2022-3204, CVE-2023-50387, CVE-2023-50868 Jira References: PED-8333 Maintenance Incident: [SUSE:Maintenance:34098](https://smelt.suse.de/incident/34098/) Sources used: SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): unbound-1.20.0-150100.10.13.1 SUSE Manager Proxy 4.3 (src): unbound-1.20.0-150100.10.13.1 SUSE Manager Retail Branch Server 4.3 (src): unbound-1.20.0-150100.10.13.1 SUSE Manager Server 4.3 (src): unbound-1.20.0-150100.10.13.1 SUSE Enterprise Storage 7.1 (src): unbound-1.20.0-150100.10.13.1 openSUSE Leap 15.5 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise Micro 5.5 (src): unbound-1.20.0-150100.10.13.1 Basesystem Module 15-SP5 (src): unbound-1.20.0-150100.10.13.1 SUSE Package Hub 15 15-SP5 (src): unbound-1.20.0-150100.10.13.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): unbound-1.20.0-150100.10.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1982-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1219823, 1219826, 1219851, 1219852, 1219854 CVE References: CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-6516 Maintenance Incident: [SUSE:Maintenance:34202](https://smelt.suse.de/incident/34202/) Sources used: SUSE Enterprise Storage 7.1 (src): bind-9.16.6-150300.22.44.1 openSUSE Leap 15.3 (src): bind-9.16.6-150300.22.44.1 Basesystem Module 15-SP6 (src): bind-9.16.6-150300.22.44.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): bind-9.16.6-150300.22.44.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): bind-9.16.6-150300.22.44.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): bind-9.16.6-150300.22.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2033-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1219823, 1219826, 1219851, 1219852, 1219854 CVE References: CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-6516 Maintenance Incident: [SUSE:Maintenance:34201](https://smelt.suse.de/incident/34201/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): libuv-1.18.0-150000.3.2.1, bind-9.16.6-150000.12.74.2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): libuv-1.18.0-150000.3.2.1, bind-9.16.6-150000.12.74.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): libuv-1.18.0-150000.3.2.1, bind-9.16.6-150000.12.74.2 SUSE Manager Client Tools for SLE Micro 5 (src): libuv-1.18.0-150000.3.2.1, bind-9.16.6-150000.12.74.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.