Prevent increased CPU load on large DNS messages

6315. [security] Speed up parsing of DNS messages with many different names. (CVE-2023-4408) [GL #4234] 6321. [security] Change 6315 inadvertently introduced regressions that could cause named to crash. [GL #4234] 6343. [bug] Fix case insensitive setting for isc_ht hashtable. Resolves: RHEL-25342 ; Resolves: CVE-2023-4408
2024-02-12 20:08:53 +01:00 · 2024-02-12 20:08:53 +01:00 · deeca182e3
commit deeca182e3
parent 2b46612566
2 changed files with 1741 additions and 1 deletions
--- a/bind-9.16-CVE-2023-4408.patch
+++ b/bind-9.16-CVE-2023-4408.patch
--- a/bind.spec
+++ b/bind.spec
@ -51,7 +51,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  15%{?dist}
+Release:  16%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -135,6 +135,7 @@ Patch191: bind-9.16-CVE-2023-2911-3.patch
 Patch192: bind-9.16-CVE-2023-3341.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/8924adca613ca9daea63786563cce6fdbd742c56
 Patch193: bind-9.16-update-b.root-servers.net.patch
+Patch194: bind-9.16-CVE-2023-4408.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -456,6 +457,7 @@ in HTML and PDF format.
 %patch191 -p1 -b .CVE-2023-2911-3
 %patch192 -p1 -b .CVE-2023-3341
 %patch193 -p1 -b .b.root-servers.net
+%patch194 -p1 -b .CVE-2023-4408

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1179,6 +1181,9 @@ fi;
 %endif

 %changelog
+* Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
+- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
+
 * Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15
 - Update addresses of b.root-servers.net (RHEL-18188)