SB2023070341 - SUSE update for dnsdist
Published: July 3, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2016-7069)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding the response to the initial client.
2) Cross-site request forgery (CVE-ID: CVE-2017-7557)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
3) Input validation error (CVE-ID: CVE-2018-14663)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing DNS queries. A remote attacker can smuggle certain DNS records into the DNS backend and perform spoofing attack. This issue occurs only when either the ‘useClientSubnet’ or the experimental ‘addXPF’ parameters are used when declaring a new backend.
Remediation
Install update from vendor's website.