An update for bind is now available for openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2718 Final 1.0 1.0 2025-11-22 Initial 2025-11-22 2025-11-22 openEuler SA Tool V1.0 2025-11-22 bind security update An update for bind is now available for openEuler-24.03-LTS-SP2 Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server. Security Fix(es): Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.(CVE-2025-40778) In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.(CVE-2025-40780) Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.(CVE-2025-8677) An update for bind is now available for openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High bind https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2718 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40778 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40780 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-8677 https://nvd.nist.gov/vuln/detail/CVE-2025-40778 https://nvd.nist.gov/vuln/detail/CVE-2025-40780 https://nvd.nist.gov/vuln/detail/CVE-2025-8677 openEuler-24.03-LTS-SP2 bind-dnssec-doc-9.18.21-5.oe2403sp2.noarch.rpm bind-license-9.18.21-5.oe2403sp2.noarch.rpm bind-9.18.21-5.oe2403sp2.aarch64.rpm bind-chroot-9.18.21-5.oe2403sp2.aarch64.rpm bind-debuginfo-9.18.21-5.oe2403sp2.aarch64.rpm bind-debugsource-9.18.21-5.oe2403sp2.aarch64.rpm bind-devel-9.18.21-5.oe2403sp2.aarch64.rpm bind-dnssec-utils-9.18.21-5.oe2403sp2.aarch64.rpm bind-libs-9.18.21-5.oe2403sp2.aarch64.rpm bind-utils-9.18.21-5.oe2403sp2.aarch64.rpm bind-9.18.21-5.oe2403sp2.src.rpm bind-9.18.21-5.oe2403sp2.x86_64.rpm bind-chroot-9.18.21-5.oe2403sp2.x86_64.rpm bind-debuginfo-9.18.21-5.oe2403sp2.x86_64.rpm bind-debugsource-9.18.21-5.oe2403sp2.x86_64.rpm bind-devel-9.18.21-5.oe2403sp2.x86_64.rpm bind-dnssec-utils-9.18.21-5.oe2403sp2.x86_64.rpm bind-libs-9.18.21-5.oe2403sp2.x86_64.rpm bind-utils-9.18.21-5.oe2403sp2.x86_64.rpm Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. 2025-11-22 CVE-2025-40778 openEuler-24.03-LTS-SP2 High 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N bind security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2718 In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. 2025-11-22 CVE-2025-40780 openEuler-24.03-LTS-SP2 High 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N bind security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2718 Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. 2025-11-22 CVE-2025-8677 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H bind security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2718