aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2021-04-02T02:51:12Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10970bind: TCP-pipelined queries can bypass tcp-clients limit (CVE-2019-6477)2021-04-02T02:51:12ZAlicha CHbind: TCP-pipelined queries can bypass tcp-clients limit (CVE-2019-6477)By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from co...By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.
#### Affected Versions:
bind 9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2, 9.14.1 -> 9.14.7
#### Fixed In Version:
bind 9.11.13, 9.14.8, 9.15.6.
#### References:
* https://kb.isc.org/docs/cve-2019-6477
* https://www.openwall.com/lists/oss-security/2019/11/20/8
### Affected branches:
* [x] master (85f2bc39b0cdf3fbb1804e1bde6a0f1570c8931d)
* [x] 3.10-stable (9e6955f54ef0ef060d47afd63899a6d9379a6edf)
* [x] 3.9-stable
* [x] 3.8-stable