CVE-2022-2906

NameCVE-2022-2906
DescriptionAn attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)buster1:9.11.5.P4+dfsg-5.1+deb10u7fixed
buster (security)1:9.11.5.P4+dfsg-5.1+deb10u10fixed
bullseye1:9.16.44-1~deb11u1fixed
bullseye (security)1:9.16.48-1fixed
bookworm1:9.18.19-1~deb12u1fixed
bookworm (security)1:9.18.24-1fixed
sid, trixie1:9.19.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9sourcebuster(not affected)
bind9sourcebullseye(not affected)
bind9source(unstable)1:9.18.7-1

Notes

[bullseye] - bind9 <not-affected> (Vulnerable code introduced later)
[buster] - bind9 <not-affected> (Vulnerable code introduced later)
https://kb.isc.org/docs/cve-2022-2906
Introduced after: https://gitlab.isc.org/isc-projects/bind9/-/commit/e18777c7582d54d227714882e9e79746ce48e002 (v9_17_20)
Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/73df5c80538970ee1fbc4fe3348109bdc281e197 (v9_18_7)

Search for package or bug name: Reporting problems