Hi Kurt,
we do not ship exim in RHEL, so nobody from our team did proper work on
these vulnerabilities. From the few information that I have found, I
would just guess BIND9 or Unbound should help protecting exim. Dnsmasq
or coredns do not create full response message from scratch, but forward
original responses from upstream, unless it cached it already. So with
BIND it should be better, but no guarantees given. Local validating
resolver should help in any case. But without more detailed information
about the vulnerability, we are just guessing.
Best Regards,
Petr
On 02. 10. 23 11:06, Kurt Jaeger wrote:
Hi!
In the light of the recent exim security issues[1,2]
I'm trying to find out if bind 9.18.19, if used as resolver,
does enough validation to shield exim instances from CVE-2023-42119 ?
As details and reproducers for the CVE are not available, this is a
more general question. Pointers on where I can read more about it
are highly appreciated!
There are probably two aspects to validation:
- Validating DNSSEC (the more common use case of validation)
- Validating DNS request/replies in general (bailiwick, cache polution etc).
[1] https://lists.exim.org/lurker/message/20231001.165119.aa8c29f9.en.html
[2] https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
