February 2024 security fixes

Legend

Icon	Meaning
🔔	Outstanding task
🚧	Needs finishing
✅	Complete
💤	Waiting for other tasks to be completed
⛔	Does not apply
🗒	See note

Status

CVE-2023-4408(#4234 (closed)) Parsing large DNS messages may cause excessive CPU load

Branch	Fix (merge request)	Fix (patch)	Reproducer
v9.19	✅ isc-private/bind9!560 + isc-private/bind9!632		🗒
v9.18	✅ isc-private/bind9!585 + isc-private/bind9!633 + isc-private/bind9!656		🗒
v9.18-S	⛔		⛔
v9.16	✅ isc-private/bind9!586 + isc-private/bind9!634 + isc-private/bind9!654		🗒
v9.16-S	⛔		⛔
v9.11	✅ isc-private/bind9!587 + isc-private/bind9!655	⛔	🗒
v9.11-S	⛔		⛔

CVE-2023-5517(#4281 (closed)) Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled

Branch	Fix (merge request)	Fix (patch)	Reproducer
v9.19	✅ isc-private/bind9!584		✅ isc-private/bind9!611
v9.18	✅ isc-private/bind9!612		✅ isc-private/bind9!615
v9.18-S	✅ isc-private/bind9!652		⛔
v9.16	✅ isc-private/bind9!613		✅ isc-private/bind9!616
v9.16-S	✅ isc-private/bind9!653		⛔

CVE-2023-5679(#4334 (closed)) Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution

Branch	Fix (merge request)	Fix (patch)	Reproducer
v9.19	✅ isc-private/bind9!588		✅ isc-private/bind9!590
v9.18	✅ isc-private/bind9!602		✅ isc-private/bind9!609
v9.18-S	⛔		⛔
v9.16	✅ isc-private/bind9!603		✅ isc-private/bind9!610
v9.16-S	⛔		⛔

CVE-2023-5680(#4356) Cleaning an ECS-enabled cache may cause excessive CPU load

Branch	Fix (merge request)	Fix (patch)	Reproducer
v9.18-S	✅ isc-private/bind9!617 + isc-private/bind9!648		:notepad_spiral:
v9.16-S	✅ isc-private/bind9!589 + isc-private/bind9!649		:notepad_spiral:
v9.11-S	✅ isc-private/bind9!618 + isc-private/bind9!650		:notepad_spiral:

CVE-2023-6516(#4383 (closed)) Specific recursive query patterns may lead to an out-of-memory condition

Branch	Fix (merge request)	Fix (patch)	Reproducer
v9.16	✅ isc-private/bind9!621		🗒
v9.16-S	⛔		⛔

CVE-2023-50387(#4424 (closed)) KeyTrap: extreme CPU consumption in DNSSEC validator

NOTE: These patches also address CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources.

Branch	Fix (merge request)	Fix (patch)	Reproducer
v9.19	✅ isc-private/bind9!606		:notepad_spiral:
v9.18	✅ isc-private/bind9!628		:notepad_spiral:
v9.18-S	⛔		⛔
v9.16	✅ isc-private/bind9!629		:notepad_spiral:
v9.16-S	⛔		⛔
v9.11	✅ isc-private/bind9!630	⛔	:notepad_spiral:
v9.11-S	⛔		⛔

Edited Aug 06, 2024 by Michał Kępień

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information