From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] bind: Update to 9.16.33
Date: Fri, 23 Sep 2022 09:03:02 +0200 [thread overview]
Message-ID: <20220923070302.4103660-1-matthias.fischer@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4653 bytes --]
For details see:
https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
"Security Fixes
Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of named running as a recursive
resolver. This has been fixed. (CVE-2022-2795)
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. [GL #3394]
named running as a resolver with the stale-answer-client-timeout option
set to 0 could crash with an assertion failure, when there was a stale
CNAME in the cache for the incoming query. This has been fixed.
(CVE-2022-3080) [GL #3517]
A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
#3487]
Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
#3487]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name, to
prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]
A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the domain
to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
#3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. [GL #2982]"
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
config/rootfiles/common/bind | 17 +++++++----------
lfs/bind | 4 ++--
2 files changed, 9 insertions(+), 12 deletions(-)
diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 5aea1853b..879f8c832 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -157,7 +157,6 @@ usr/bin/nsupdate
#usr/include/isc/heap.h
#usr/include/isc/hex.h
#usr/include/isc/hmac.h
-#usr/include/isc/hp.h
#usr/include/isc/ht.h
#usr/include/isc/httpd.h
#usr/include/isc/interfaceiter.h
@@ -175,7 +174,6 @@ usr/bin/nsupdate
#usr/include/isc/mem.h
#usr/include/isc/meminfo.h
#usr/include/isc/mutex.h
-#usr/include/isc/mutexatomic.h
#usr/include/isc/mutexblock.h
#usr/include/isc/net.h
#usr/include/isc/netaddr.h
@@ -191,7 +189,6 @@ usr/bin/nsupdate
#usr/include/isc/pool.h
#usr/include/isc/portset.h
#usr/include/isc/print.h
-#usr/include/isc/queue.h
#usr/include/isc/quota.h
#usr/include/isc/radix.h
#usr/include/isc/random.h
@@ -274,24 +271,24 @@ usr/bin/nsupdate
#usr/include/pk11/site.h
#usr/include/pkcs11
#usr/include/pkcs11/pkcs11.h
-usr/lib/libbind9-9.16.32.so
+usr/lib/libbind9-9.16.33.so
#usr/lib/libbind9.la
#usr/lib/libbind9.so
-usr/lib/libdns-9.16.32.so
+usr/lib/libdns-9.16.33.so
#usr/lib/libdns.la
#usr/lib/libdns.so
-usr/lib/libirs-9.16.32.so
+usr/lib/libirs-9.16.33.so
#usr/lib/libirs.la
#usr/lib/libirs.so
-usr/lib/libisc-9.16.32.so
+usr/lib/libisc-9.16.33.so
#usr/lib/libisc.la
#usr/lib/libisc.so
-usr/lib/libisccc-9.16.32.so
+usr/lib/libisccc-9.16.33.so
#usr/lib/libisccc.la
#usr/lib/libisccc.so
-usr/lib/libisccfg-9.16.32.so
+usr/lib/libisccfg-9.16.33.so
#usr/lib/libisccfg.la
#usr/lib/libisccfg.so
-usr/lib/libns-9.16.32.so
+usr/lib/libns-9.16.33.so
#usr/lib/libns.la
#usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index bb5c26e1e..aeff480a2 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
include Config
-VER = 9.16.32
+VER = 9.16.33
THISAPP = bind-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = df6f2c878138015da580dfaf0e16b5a97b11ead9f99c1425a09da8484954196ea3dafb828ac3ab386200ce2b180646c7eb1e0e62a84c153162270a4a1e19a5fc
+$(DL_FILE)_BLAKE2 = 4246b61ce91af3d494ace4b8065b4c0043b2cfaf28c6de326691a969837e7d1cfbc0dac6b1e1a5182fc32af68048abcfa1202d00022951f3caa13afb03ebeb69
install : $(TARGET)
--
2.34.1
next reply other threads:[~2022-09-23 7:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-23 7:03 Matthias Fischer [this message]
2022-09-23 10:32 ` Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220923070302.4103660-1-matthias.fischer@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox