Arch Linux has implemented critical updates for two packages, Bind and Varnish, addressing significant security vulnerabilities that could lead to denial of service and content spoofing attacks.
Date: May 21, 2025
CVE-ID: CVE-2025-40775
Type: Denial of Service
Remote: Yes
Link: [Arch Linux Security Advisory](https://security.archlinux.org/AVG-2881)
Date: May 20, 2025
CVE-ID: CVE-2025-47905
Type: Content Spoofing
Remote: Yes
Link: [Arch Linux Security Advisory](https://security.archlinux.org/AVG-2879)
Bind Security Advisory (ASA-202505-14)
Severity: HighDate: May 21, 2025
CVE-ID: CVE-2025-40775
Type: Denial of Service
Remote: Yes
Link: [Arch Linux Security Advisory](https://security.archlinux.org/AVG-2881)
Summary
Versions of Bind prior to 9.20.9-1 are vulnerable to denial of service attacks due to improper handling of DNS protocol messages that include a Transaction Signature (TSIG). If the TSIG contains an invalid algorithm, Bind crashes with an assertion failure.Resolution
To mitigate this vulnerability, users should upgrade Bind to version 9.20.9-1 by executing the following command:bashpacman -Syu "bind>=9.20.9-1"
Impact
A remote attacker can exploit this vulnerability by sending a specially crafted DNS request, leading to service downtime.Varnish Security Advisory (ASA-202505-13)
Severity: HighDate: May 20, 2025
CVE-ID: CVE-2025-47905
Type: Content Spoofing
Remote: Yes
Link: [Arch Linux Security Advisory](https://security.archlinux.org/AVG-2879)
Summary
Versions of Varnish prior to 7.7.1-1 are susceptible to content spoofing due to a vulnerability in handling HTTP/1 chunked requests. This can allow an attacker to exploit malformed requests to smuggle additional requests, potentially leading to the caching and serving of incorrect or malicious content.Resolution
To address this vulnerability, users should upgrade Varnish to version 7.7.1-1 with the following command:bashpacman -Syu "varnish>=7.7.1-1"
Impact
A remote attacker sending specially crafted HTTP/1 chunked requests could exploit this vulnerability, resulting in information disclosure and the serving of inappropriate content to other users.Conclusion
Users of Arch Linux are strongly advised to update their installations of Bind and Varnish to the latest versions to protect against these vulnerabilities. Regular updates and vigilance are essential for maintaining security in system configurations. For further information and detailed references, users can consult the provided links in the advisoriesBind and Varnish updates for Arch Linux
Arch Linux has received updates that include security patches for Bind and Varnish, which address issues related to denial of service and content spoofing:
[ASA-202505-14] bind: denial of service
[ASA-202505-13] varnish: content spoofing
