named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
Description
This issue can affect BIND 9 resolvers with stale-answer-enable yes; that also make use of the option stale-answer-client-timeout, configured with a value greater than zero.
If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM recursive-clients limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
Affected products
39- osv-coords38 versionspkg:apk/chainguard/bindpkg:apk/chainguard/bind-devpkg:apk/chainguard/bind-dnssec-rootpkg:apk/chainguard/bind-dnssec-toolspkg:apk/chainguard/bind-docpkg:apk/chainguard/bind-libspkg:apk/chainguard/bind-pluginspkg:apk/chainguard/bind-toolspkg:apk/wolfi/bindpkg:apk/wolfi/bind-devpkg:apk/wolfi/bind-dnssec-rootpkg:apk/wolfi/bind-dnssec-toolspkg:apk/wolfi/bind-docpkg:apk/wolfi/bind-libspkg:apk/wolfi/bind-pluginspkg:apk/wolfi/bind-toolspkg:rpm/almalinux/bindpkg:rpm/almalinux/bind9.16pkg:rpm/almalinux/bind9.16-chrootpkg:rpm/almalinux/bind9.16-develpkg:rpm/almalinux/bind9.16-dnssec-utilspkg:rpm/almalinux/bind9.16-docpkg:rpm/almalinux/bind9.16-libspkg:rpm/almalinux/bind9.16-licensepkg:rpm/almalinux/bind9.16-utilspkg:rpm/almalinux/bind-chrootpkg:rpm/almalinux/bind-develpkg:rpm/almalinux/bind-dnssec-docpkg:rpm/almalinux/bind-dnssec-utilspkg:rpm/almalinux/bind-docpkg:rpm/almalinux/bind-libspkg:rpm/almalinux/bind-licensepkg:rpm/almalinux/bind-utilspkg:rpm/almalinux/python3-bindpkg:rpm/almalinux/python3-bind9.16pkg:rpm/opensuse/bind&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4
< 9.18.11-r0+ 37 more
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 9.18.11-r0
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-11.el9
- (no CPE)range: < 32:9.16.23-0.14.el8
- (no CPE)range: < 9.16.37-150400.5.17.1
- (no CPE)range: < 9.16.37-150400.5.17.1
- (no CPE)range: < 9.16.37-150400.5.17.1
- ISC/BIND 9v5Range: 9.16.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- kb.isc.org/docs/cve-2022-3924mitrevendor-advisory
News mentions
0No linked articles in our index yet.