NS-SA-2022-0051

简介

important: bind/lz4 security update

严重级别

important

主题

An update for bind/lz4 is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

bind: This package provides debug information for package bind-pkcs11-libs. Debug information is useful when developing applications that use this package or when debugging this package.
lz4: This package provides debug sources for package lz4. Debug sources are useful when developing applications that use this package or when debugging this package.


Security Fix(es):
bind: A flaw was found in bind. The way DNAME records are processed may trigger the same RRset to the ANSWER section to be added more than once which causes an assertion check to fail. The highest threat from this flaw is to system availability.(CVE-2021-25215)
bind: bugfix
lz4: There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.(CVE-2021-3520)
lz4: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.80B5.

影响组件

• bind
• lz4

影响产品

• CGSL MAIN 6.02

更新包

CVE

• CVE-2021-25215
• CVE-2021-3520

参考

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25215
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3520