Is bind 9.18.19 a validating resolver to shield against CVE-2023-42119 ?
Petr Menšík
pemensik at redhat.com
Tue Oct 3 09:57:04 UTC 2023
Hi Kurt,
we do not ship exim in RHEL, so nobody from our team did proper work on
these vulnerabilities. From the few information that I have found, I
would just guess BIND9 or Unbound should help protecting exim. Dnsmasq
or coredns do not create full response message from scratch, but forward
original responses from upstream, unless it cached it already. So with
BIND it should be better, but no guarantees given. Local validating
resolver should help in any case. But without more detailed information
about the vulnerability, we are just guessing.
Best Regards,
Petr
On 02. 10. 23 11:06, Kurt Jaeger wrote:
> Hi!
>
> In the light of the recent exim security issues[1,2]
> I'm trying to find out if bind 9.18.19, if used as resolver,
> does enough validation to shield exim instances from CVE-2023-42119 ?
>
> As details and reproducers for the CVE are not available, this is a
> more general question. Pointers on where I can read more about it
> are highly appreciated!
>
> There are probably two aspects to validation:
> - Validating DNSSEC (the more common use case of validation)
> - Validating DNS request/replies in general (bailiwick, cache polution etc).
>
> [1] https://lists.exim.org/lurker/message/20231001.165119.aa8c29f9.en.html
> [2] https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
>
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the bind-users
mailing list