Bugzilla – Bug 1228255
VUL-0: CVE-2024-0760: bind: A flood of DNS messages over TCP may make the server unstable
Last modified: 2024-07-25 14:10:02 UTC
A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions: 9.18.1 -> 9.18.27 9.19.0 -> 9.19.24 9.18.11-S1 -> 9.18.27-S1 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0760 https://seclists.org/oss-sec/2024/q3/101 https://kb.isc.org/docs/cve-2024-0760 https://kb.isc.org/docs/cve-2024-4076 https://kb.isc.org/docs/cve-2024-1975 https://kb.isc.org/docs/cve-2024-1737 https://downloads.isc.org/isc/bind9/9.18.28/patches/ https://www.cve.org/CVERecord?id=CVE-2024-0760 http://www.openwall.com/lists/oss-security/2024/07/23/1 https://bugzilla.redhat.com/show_bug.cgi?id=2298878
Created attachment 876219 [details] upstream patch It looks like all code stream >= SLE-15-SP4 are affected by this, even that bind version 9.16.x is not listed inside the security announcement.