* [PATCH] bind: Update to 9.11.32
@ 2021-05-22 13:29 Matthias Fischer
2021-05-22 16:34 ` Peter Müller
0 siblings, 1 reply; 2+ messages in thread
From: Matthias Fischer @ 2021-05-22 13:29 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3351 bytes --]
For details see:
https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html
"Notes for BIND 9.11.32
Feature Changes
DNSSEC responses containing NSEC3 records with iteration counts
greater than 150 are now treated as insecure. [GL #2445]
The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. [GL #2642]
The implementation of the ZONEMD RR type has been updated to match
RFC 8976. [GL #2658]
Notes for BIND 9.11.31
Security Fixes
A malformed incoming IXFR transfer could trigger an assertion
failure in named, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. [GL #2467]
named crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank Siva Kakarla for bringing this vulnerability
to our attention. [GL #2540]
When a server's configuration set the tkey-gssapi-keytab
or tkey-gssapi-credential option, a specially crafted GSS-TSIG query
could cause a buffer overflow in the ISC implementation of SPNEGO
(a protocol enabling negotiation of the security mechanism used for
GSSAPI authentication). This flaw could be exploited to crash named
binaries compiled for 64-bit platforms, and could enable remote code
execution when named was compiled for 32-bit platforms.
(CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend
Micro Zero Day Initiative. [GL #2604]
Feature Changes
The ISC implementation of SPNEGO was removed from BIND 9 source
code. Instead, BIND 9 now always uses the SPNEGO implementation
provided by the system GSSAPI library when it is built with GSSAPI
support. All major contemporary Kerberos/GSSAPI libraries contain
an implementation of the SPNEGO mechanism. [GL #2607]
Notes for BIND 9.11.30
The BIND 9.11.30 release was withdrawn after a backporting bug was
discovered during pre-release testing. ISC would like to acknowledge the
assistance of Natan Segal of Bluecat Networks.2"
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
config/rootfiles/common/bind | 4 ++--
lfs/bind | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 7e1ecd48f..6fb228a5a 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -272,8 +272,8 @@ usr/lib/libbind9.so.161
usr/lib/libbind9.so.161.0.4
#usr/lib/libdns.la
#usr/lib/libdns.so
-usr/lib/libdns.so.1113
-usr/lib/libdns.so.1113.0.2
+usr/lib/libdns.so.1115
+usr/lib/libdns.so.1115.0.0
#usr/lib/libisc.la
#usr/lib/libisc.so
usr/lib/libisc.so.1107
diff --git a/lfs/bind b/lfs/bind
index c0c7c5ebf..0545066b7 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
include Config
-VER = 9.11.29
+VER = 9.11.32
THISAPP = bind-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 439d5491dfea08be032a1f9ca5a54faa
+$(DL_FILE)_MD5 = 0d029dd06ca60c6739c3189c999ef757
install : $(TARGET)
--
2.18.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] bind: Update to 9.11.32
2021-05-22 13:29 [PATCH] bind: Update to 9.11.32 Matthias Fischer
@ 2021-05-22 16:34 ` Peter Müller
0 siblings, 0 replies; 2+ messages in thread
From: Peter Müller @ 2021-05-22 16:34 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3599 bytes --]
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> For details see:
> https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html
>
> "Notes for BIND 9.11.32
> Feature Changes
>
> DNSSEC responses containing NSEC3 records with iteration counts
> greater than 150 are now treated as insecure. [GL #2445]
>
> The maximum supported number of NSEC3 iterations that can be
> configured for a zone has been reduced to 150. [GL #2642]
>
> The implementation of the ZONEMD RR type has been updated to match
> RFC 8976. [GL #2658]
>
> Notes for BIND 9.11.31
> Security Fixes
>
> A malformed incoming IXFR transfer could trigger an assertion
> failure in named, causing it to quit abnormally. (CVE-2021-25214)
>
> ISC would like to thank Greg Kuechle of SaskTel for bringing this
> vulnerability to our attention. [GL #2467]
>
> named crashed when a DNAME record placed in the ANSWER section
> during DNAME chasing turned out to be the final answer to a client
> query. (CVE-2021-25215)
>
> ISC would like to thank Siva Kakarla for bringing this vulnerability
> to our attention. [GL #2540]
>
> When a server's configuration set the tkey-gssapi-keytab
> or tkey-gssapi-credential option, a specially crafted GSS-TSIG query
> could cause a buffer overflow in the ISC implementation of SPNEGO
> (a protocol enabling negotiation of the security mechanism used for
> GSSAPI authentication). This flaw could be exploited to crash named
> binaries compiled for 64-bit platforms, and could enable remote code
> execution when named was compiled for 32-bit platforms.
> (CVE-2021-25216)
>
> This vulnerability was reported to us as ZDI-CAN-13347 by Trend
> Micro Zero Day Initiative. [GL #2604]
>
> Feature Changes
>
> The ISC implementation of SPNEGO was removed from BIND 9 source
> code. Instead, BIND 9 now always uses the SPNEGO implementation
> provided by the system GSSAPI library when it is built with GSSAPI
> support. All major contemporary Kerberos/GSSAPI libraries contain
> an implementation of the SPNEGO mechanism. [GL #2607]
>
> Notes for BIND 9.11.30
>
> The BIND 9.11.30 release was withdrawn after a backporting bug was
> discovered during pre-release testing. ISC would like to acknowledge the
> assistance of Natan Segal of Bluecat Networks.2"
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
> config/rootfiles/common/bind | 4 ++--
> lfs/bind | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
> index 7e1ecd48f..6fb228a5a 100644
> --- a/config/rootfiles/common/bind
> +++ b/config/rootfiles/common/bind
> @@ -272,8 +272,8 @@ usr/lib/libbind9.so.161
> usr/lib/libbind9.so.161.0.4
> #usr/lib/libdns.la
> #usr/lib/libdns.so
> -usr/lib/libdns.so.1113
> -usr/lib/libdns.so.1113.0.2
> +usr/lib/libdns.so.1115
> +usr/lib/libdns.so.1115.0.0
> #usr/lib/libisc.la
> #usr/lib/libisc.so
> usr/lib/libisc.so.1107
> diff --git a/lfs/bind b/lfs/bind
> index c0c7c5ebf..0545066b7 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
>
> include Config
>
> -VER = 9.11.29
> +VER = 9.11.32
>
> THISAPP = bind-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 439d5491dfea08be032a1f9ca5a54faa
> +$(DL_FILE)_MD5 = 0d029dd06ca60c6739c3189c999ef757
>
> install : $(TARGET)
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-22 16:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-22 13:29 [PATCH] bind: Update to 9.11.32 Matthias Fischer
2021-05-22 16:34 ` Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox