From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] bind: Update to 9.16.33
Date: Fri, 23 Sep 2022 10:32:58 +0000 [thread overview]
Message-ID: <02d05a3a-f77b-81c6-9a82-d244c14ab198@ipfire.org> (raw)
In-Reply-To: <20220923070302.4103660-1-matthias.fischer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4969 bytes --]
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> For details see:
> https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
>
> "Security Fixes
>
> Previously, there was no limit to the number of database lookups
> performed while processing large delegations, which could be abused to
> severely impact the performance of named running as a recursive
> resolver. This has been fixed. (CVE-2022-2795)
>
> ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
> Bremler-Barr & Shani Stajnrod from Reichman University for bringing
> this vulnerability to our attention. [GL #3394]
>
> named running as a resolver with the stale-answer-client-timeout option
> set to 0 could crash with an assertion failure, when there was a stale
> CNAME in the cache for the incoming query. This has been fixed.
> (CVE-2022-3080) [GL #3517]
>
> A memory leak was fixed that could be externally triggered in the
> DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
> #3487]
>
> Memory leaks were fixed that could be externally triggered in the
> DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
> #3487]
>
> Feature Changes
>
> Response Rate Limiting (RRL) code now treats all QNAMEs that are
> subject to wildcard processing within a given zone as the same name, to
> prevent circumventing the limits enforced by RRL. [GL #3459]
>
> Zones using dnssec-policy now require dynamic DNS or inline-signing to
> be configured explicitly. [GL #3381]
>
> A backward-compatible approach was implemented for encoding
> internationalized domain names (IDN) in dig and converting the domain
> to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
> #3485]
>
> Bug Fixes
>
> A serve-stale bug was fixed, where BIND would try to return stale data
> from cache for lookups that received duplicate queries or queries that
> would be dropped. This bug resulted in premature SERVFAIL responses,
> and has now been resolved. [GL #2982]"
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
> config/rootfiles/common/bind | 17 +++++++----------
> lfs/bind | 4 ++--
> 2 files changed, 9 insertions(+), 12 deletions(-)
>
> diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
> index 5aea1853b..879f8c832 100644
> --- a/config/rootfiles/common/bind
> +++ b/config/rootfiles/common/bind
> @@ -157,7 +157,6 @@ usr/bin/nsupdate
> #usr/include/isc/heap.h
> #usr/include/isc/hex.h
> #usr/include/isc/hmac.h
> -#usr/include/isc/hp.h
> #usr/include/isc/ht.h
> #usr/include/isc/httpd.h
> #usr/include/isc/interfaceiter.h
> @@ -175,7 +174,6 @@ usr/bin/nsupdate
> #usr/include/isc/mem.h
> #usr/include/isc/meminfo.h
> #usr/include/isc/mutex.h
> -#usr/include/isc/mutexatomic.h
> #usr/include/isc/mutexblock.h
> #usr/include/isc/net.h
> #usr/include/isc/netaddr.h
> @@ -191,7 +189,6 @@ usr/bin/nsupdate
> #usr/include/isc/pool.h
> #usr/include/isc/portset.h
> #usr/include/isc/print.h
> -#usr/include/isc/queue.h
> #usr/include/isc/quota.h
> #usr/include/isc/radix.h
> #usr/include/isc/random.h
> @@ -274,24 +271,24 @@ usr/bin/nsupdate
> #usr/include/pk11/site.h
> #usr/include/pkcs11
> #usr/include/pkcs11/pkcs11.h
> -usr/lib/libbind9-9.16.32.so
> +usr/lib/libbind9-9.16.33.so
> #usr/lib/libbind9.la
> #usr/lib/libbind9.so
> -usr/lib/libdns-9.16.32.so
> +usr/lib/libdns-9.16.33.so
> #usr/lib/libdns.la
> #usr/lib/libdns.so
> -usr/lib/libirs-9.16.32.so
> +usr/lib/libirs-9.16.33.so
> #usr/lib/libirs.la
> #usr/lib/libirs.so
> -usr/lib/libisc-9.16.32.so
> +usr/lib/libisc-9.16.33.so
> #usr/lib/libisc.la
> #usr/lib/libisc.so
> -usr/lib/libisccc-9.16.32.so
> +usr/lib/libisccc-9.16.33.so
> #usr/lib/libisccc.la
> #usr/lib/libisccc.so
> -usr/lib/libisccfg-9.16.32.so
> +usr/lib/libisccfg-9.16.33.so
> #usr/lib/libisccfg.la
> #usr/lib/libisccfg.so
> -usr/lib/libns-9.16.32.so
> +usr/lib/libns-9.16.33.so
> #usr/lib/libns.la
> #usr/lib/libns.so
> diff --git a/lfs/bind b/lfs/bind
> index bb5c26e1e..aeff480a2 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
>
> include Config
>
> -VER = 9.16.32
> +VER = 9.16.33
>
> THISAPP = bind-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = df6f2c878138015da580dfaf0e16b5a97b11ead9f99c1425a09da8484954196ea3dafb828ac3ab386200ce2b180646c7eb1e0e62a84c153162270a4a1e19a5fc
> +$(DL_FILE)_BLAKE2 = 4246b61ce91af3d494ace4b8065b4c0043b2cfaf28c6de326691a969837e7d1cfbc0dac6b1e1a5182fc32af68048abcfa1202d00022951f3caa13afb03ebeb69
>
> install : $(TARGET)
>
prev parent reply other threads:[~2022-09-23 10:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-23 7:03 Matthias Fischer
2022-09-23 10:32 ` Peter Müller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=02d05a3a-f77b-81c6-9a82-d244c14ab198@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox