Hi there
On 02/10/2023 11:06, Kurt Jaeger wrote:
In the light of the recent exim security issues[1,2]
I'm trying to find out if bind 9.18.19, if used as resolver,
does enough validation to shield exim instances from CVE-2023-42119 ?
I added 'check-names response fail;' to the internal view.
So far this blocked a few hosts with underscore and comma in the name,
which didn't break anything.
I'm assuming that this will protect DNS lookups. But that's just an
assumption.
As details and reproducers for the CVE are not available, this is a
more general question. Pointers on where I can read more about it
are highly appreciated!
There are probably two aspects to validation:
- Validating DNSSEC (the more common use case of validation)
- Validating DNS request/replies in general (bailiwick, cache polution etc).
[1] https://lists.exim.org/lurker/message/20231001.165119.aa8c29f9.en.html
[2] https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
Regards,
Rob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
