From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] bind: Update to 9.16.33 Date: Fri, 23 Sep 2022 10:32:58 +0000 Message-ID: <02d05a3a-f77b-81c6-9a82-d244c14ab198@ipfire.org> In-Reply-To: <20220923070302.4103660-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0943496245987092722==" List-Id: --===============0943496245987092722== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Peter M=C3=BCller > For details see: > https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-f= or-bind-9-16-33 >=20 > "Security Fixes >=20 > Previously, there was no limit to the number of database lookups > performed while processing large delegations, which could be abused to > severely impact the performance of named running as a recursive > resolver. This has been fixed. (CVE-2022-2795) >=20 > ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat > Bremler-Barr & Shani Stajnrod from Reichman University for bringing > this vulnerability to our attention. [GL #3394] >=20 > named running as a resolver with the stale-answer-client-timeout option > set to 0 could crash with an assertion failure, when there was a stale > CNAME in the cache for the incoming query. This has been fixed. > (CVE-2022-3080) [GL #3517] >=20 > A memory leak was fixed that could be externally triggered in the > DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL > #3487] >=20 > Memory leaks were fixed that could be externally triggered in the > DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL > #3487] >=20 > Feature Changes >=20 > Response Rate Limiting (RRL) code now treats all QNAMEs that are > subject to wildcard processing within a given zone as the same name, to > prevent circumventing the limits enforced by RRL. [GL #3459] >=20 > Zones using dnssec-policy now require dynamic DNS or inline-signing to > be configured explicitly. [GL #3381] >=20 > A backward-compatible approach was implemented for encoding > internationalized domain names (IDN) in dig and converting the domain > to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL > #3485] >=20 > Bug Fixes >=20 > A serve-stale bug was fixed, where BIND would try to return stale data > from cache for lookups that received duplicate queries or queries that > would be dropped. This bug resulted in premature SERVFAIL responses, > and has now been resolved. [GL #2982]" >=20 > Signed-off-by: Matthias Fischer > --- > config/rootfiles/common/bind | 17 +++++++---------- > lfs/bind | 4 ++-- > 2 files changed, 9 insertions(+), 12 deletions(-) >=20 > diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind > index 5aea1853b..879f8c832 100644 > --- a/config/rootfiles/common/bind > +++ b/config/rootfiles/common/bind > @@ -157,7 +157,6 @@ usr/bin/nsupdate > #usr/include/isc/heap.h > #usr/include/isc/hex.h > #usr/include/isc/hmac.h > -#usr/include/isc/hp.h > #usr/include/isc/ht.h > #usr/include/isc/httpd.h > #usr/include/isc/interfaceiter.h > @@ -175,7 +174,6 @@ usr/bin/nsupdate > #usr/include/isc/mem.h > #usr/include/isc/meminfo.h > #usr/include/isc/mutex.h > -#usr/include/isc/mutexatomic.h > #usr/include/isc/mutexblock.h > #usr/include/isc/net.h > #usr/include/isc/netaddr.h > @@ -191,7 +189,6 @@ usr/bin/nsupdate > #usr/include/isc/pool.h > #usr/include/isc/portset.h > #usr/include/isc/print.h > -#usr/include/isc/queue.h > #usr/include/isc/quota.h > #usr/include/isc/radix.h > #usr/include/isc/random.h > @@ -274,24 +271,24 @@ usr/bin/nsupdate > #usr/include/pk11/site.h > #usr/include/pkcs11 > #usr/include/pkcs11/pkcs11.h > -usr/lib/libbind9-9.16.32.so > +usr/lib/libbind9-9.16.33.so > #usr/lib/libbind9.la > #usr/lib/libbind9.so > -usr/lib/libdns-9.16.32.so > +usr/lib/libdns-9.16.33.so > #usr/lib/libdns.la > #usr/lib/libdns.so > -usr/lib/libirs-9.16.32.so > +usr/lib/libirs-9.16.33.so > #usr/lib/libirs.la > #usr/lib/libirs.so > -usr/lib/libisc-9.16.32.so > +usr/lib/libisc-9.16.33.so > #usr/lib/libisc.la > #usr/lib/libisc.so > -usr/lib/libisccc-9.16.32.so > +usr/lib/libisccc-9.16.33.so > #usr/lib/libisccc.la > #usr/lib/libisccc.so > -usr/lib/libisccfg-9.16.32.so > +usr/lib/libisccfg-9.16.33.so > #usr/lib/libisccfg.la > #usr/lib/libisccfg.so > -usr/lib/libns-9.16.32.so > +usr/lib/libns-9.16.33.so > #usr/lib/libns.la > #usr/lib/libns.so > diff --git a/lfs/bind b/lfs/bind > index bb5c26e1e..aeff480a2 100644 > --- a/lfs/bind > +++ b/lfs/bind > @@ -25,7 +25,7 @@ > =20 > include Config > =20 > -VER =3D 9.16.32 > +VER =3D 9.16.33 > =20 > THISAPP =3D bind-$(VER) > DL_FILE =3D $(THISAPP).tar.xz > @@ -43,7 +43,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D df6f2c878138015da580dfaf0e16b5a97b11ead9f99c1425a09d= a8484954196ea3dafb828ac3ab386200ce2b180646c7eb1e0e62a84c153162270a4a1e19a5fc > +$(DL_FILE)_BLAKE2 =3D 4246b61ce91af3d494ace4b8065b4c0043b2cfaf28c6de326691= a969837e7d1cfbc0dac6b1e1a5182fc32af68048abcfa1202d00022951f3caa13afb03ebeb69 > =20 > install : $(TARGET) > =20 --===============0943496245987092722==--