An update for bind is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1106 Final 1.0 1.0 2025-02-14 Initial 2025-02-14 2025-02-14 openEuler SA Tool V1.0 2025-02-14 bind security update An update for bind is now available for openEuler-24.03-LTS-SP1 BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. Security Fix(es): It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.(CVE-2024-11187) Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.(CVE-2024-12705) An update for bind is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High bind https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1106 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-11187 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-12705 https://nvd.nist.gov/vuln/detail/CVE-2024-11187 https://nvd.nist.gov/vuln/detail/CVE-2024-12705 openEuler-24.03-LTS-SP1 bind-9.18.21-4.oe2403sp1.aarch64.rpm bind-chroot-9.18.21-4.oe2403sp1.aarch64.rpm bind-debuginfo-9.18.21-4.oe2403sp1.aarch64.rpm bind-debugsource-9.18.21-4.oe2403sp1.aarch64.rpm bind-devel-9.18.21-4.oe2403sp1.aarch64.rpm bind-dnssec-utils-9.18.21-4.oe2403sp1.aarch64.rpm bind-libs-9.18.21-4.oe2403sp1.aarch64.rpm bind-utils-9.18.21-4.oe2403sp1.aarch64.rpm bind-9.18.21-4.oe2403sp1.src.rpm bind-9.18.21-4.oe2403sp1.x86_64.rpm bind-chroot-9.18.21-4.oe2403sp1.x86_64.rpm bind-debuginfo-9.18.21-4.oe2403sp1.x86_64.rpm bind-debugsource-9.18.21-4.oe2403sp1.x86_64.rpm bind-devel-9.18.21-4.oe2403sp1.x86_64.rpm bind-dnssec-utils-9.18.21-4.oe2403sp1.x86_64.rpm bind-libs-9.18.21-4.oe2403sp1.x86_64.rpm bind-utils-9.18.21-4.oe2403sp1.x86_64.rpm bind-dnssec-doc-9.18.21-4.oe2403sp1.noarch.rpm bind-license-9.18.21-4.oe2403sp1.noarch.rpm It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. 2025-02-14 CVE-2024-11187 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H bind security update 2025-02-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1106 Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. 2025-02-14 CVE-2024-12705 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H bind security update 2025-02-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1106