ALAS-2025-838

Amazon Linux 2023 Security Advisory: ALAS-2025-838
Advisory Release Date: 2025-01-30 03:53 Pacific
Advisory Updated Date: 2025-02-05 11:08 Pacific
Severity: Important
Issue Overview:

It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure.
This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. (CVE-2024-11187)

Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic.
This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. (CVE-2024-12705)


Affected Packages:

bind


Issue Correction:
Run dnf update bind --releasever 2023.6.20250203 to update your system.

New Packages:
aarch64:
    bind-debuginfo-9.18.33-1.amzn2023.0.2.aarch64
    bind-utils-debuginfo-9.18.33-1.amzn2023.0.2.aarch64
    bind-chroot-9.18.33-1.amzn2023.0.2.aarch64
    bind-dnssec-utils-debuginfo-9.18.33-1.amzn2023.0.2.aarch64
    bind-utils-9.18.33-1.amzn2023.0.2.aarch64
    bind-debugsource-9.18.33-1.amzn2023.0.2.aarch64
    bind-libs-9.18.33-1.amzn2023.0.2.aarch64
    bind-dnssec-utils-9.18.33-1.amzn2023.0.2.aarch64
    bind-libs-debuginfo-9.18.33-1.amzn2023.0.2.aarch64
    bind-9.18.33-1.amzn2023.0.2.aarch64
    bind-devel-9.18.33-1.amzn2023.0.2.aarch64

noarch:
    bind-doc-9.18.33-1.amzn2023.0.2.noarch
    bind-license-9.18.33-1.amzn2023.0.2.noarch

src:
    bind-9.18.33-1.amzn2023.0.2.src

x86_64:
    bind-chroot-9.18.33-1.amzn2023.0.2.x86_64
    bind-libs-debuginfo-9.18.33-1.amzn2023.0.2.x86_64
    bind-dnssec-utils-debuginfo-9.18.33-1.amzn2023.0.2.x86_64
    bind-utils-debuginfo-9.18.33-1.amzn2023.0.2.x86_64
    bind-devel-9.18.33-1.amzn2023.0.2.x86_64
    bind-debuginfo-9.18.33-1.amzn2023.0.2.x86_64
    bind-debugsource-9.18.33-1.amzn2023.0.2.x86_64
    bind-libs-9.18.33-1.amzn2023.0.2.x86_64
    bind-9.18.33-1.amzn2023.0.2.x86_64
    bind-dnssec-utils-9.18.33-1.amzn2023.0.2.x86_64
    bind-utils-9.18.33-1.amzn2023.0.2.x86_64

Additional References

Red Hat: CVE-2024-11187, CVE-2024-12705

Mitre: CVE-2024-11187, CVE-2024-12705