From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b37s60P3Sz339r for ; Thu, 22 May 2025 13:08:42 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b37s24DZKz3369 for ; Thu, 22 May 2025 13:08:38 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b37s15jgZz1dt; Thu, 22 May 2025 13:08:37 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1747919317; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lK42iGyKmS73znZIdFrnsxtKgI1aHNH1IeKyGDAVLMA=; b=T1bpA1zRiZjubNVGf6+ynsa/cUnkM7D1CKtBnBM/LOvku2U+pVKUBELKmllmjQW8YtpE+o HfMOUjlYEIOZ3vCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1747919317; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lK42iGyKmS73znZIdFrnsxtKgI1aHNH1IeKyGDAVLMA=; b=F0N4Bh9PawwayT2IKFTSQmAF4gfJ+8XgftJg/1vy2Qfl0F2/qE0yH/htBNQpGEb8lgntON R4X3oBm661E19Z4Fr3ZGOjzL3Rj8VppLN1f5DuhtlANKoRiBGA6w4MBnHcR660mZKQiOoM cuiWRLudlb5E3YEQxG8vvsuJmlf9iK5yODTs+eerCRBy+m4DkbryglwZbCP82qXFckHGll ezbQW/box9YZfOiXXVE56FEH5cQ5f2TiL5BfRtnI6k/G12pwbUTIJaWqs2ktIBrhP2tilq 9vZpkzrWmF4oxIiRRX6ywDwYNgudd9p9srSAhTvRo0SxLLoaerv4c1rzj2ny6g== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] bind: Update to version 9.20.9 Date: Thu, 22 May 2025 15:08:30 +0200 Message-ID: <20250522130831.3292097-2-adolf.belka@ipfire.org> In-Reply-To: <20250522130831.3292097-1-adolf.belka@ipfire.org> References: <20250522130831.3292097-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit - Update from version 9.20.8 to 9.20.9 - Update of rootfile - Changelog 9.20.9 Security Fixes - [CVE-2025-40775] Prevent assertion when processing TSIG algorithm. ``b8c198ac5ca`` DNS messages that included a Transaction Signature (TSIG) containing an invalid value in the algorithm field caused :iscman:`named` to crash with an assertion failure. This has been fixed. :cve:`2025-40775` :gl:`#5300` Feature Changes - Use jinja2 templates in system tests. ``8f545784ff0`` `python-jinja2` is now required to run system tests. :gl:`#4938` :gl:`!10396` Bug Fixes - Fix EDNS yaml output. ``8c3b226d89b`` `dig` was producing invalid YAML when displaying some EDNS options. This has been corrected. Several other improvements have been made to the display of EDNS option data: - We now use the correct name for the UPDATE-LEASE option, which was previously displayed as "UL", and split it into separate LEASE and LEASE-KEY components in YAML mode. - Human-readable durations are now displayed as comments in YAML mode so as not to interfere with machine parsing. - KEY-TAG options are now displayed as an array of integers in YAML mode. - EDNS COOKIE options are displayed as separate CLIENT and SERVER components, and cookie STATUS is a retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414` - Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6`` This change allows the client to identify the server that returns the BADVERS and to provide a DNS SERVER COOKIE to be included in the resend of the request. :gl:`#5235` :gl:`!10392` - Disable own memory context for libxml2 on macOS. ``51e51d5ea8f`` Apple broke custom memory allocation functions in the system-wide libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory allocation functions has been disabled on macOS. :gl:`#5268` :gl:`!10411` - `check_private` failed to account for the length byte before the OID. ``2b827380e75`` In PRIVATEOID keys, the key data begins with a length byte followed by an ASN.1 object identifier that indicates the cryptographic algorithm to use. Previously, the length byte was not accounted for when checking the contents of keys and signatures, which could have led to interoperability problems with any zones signed using PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376` - Fix a serve-stale issue with a delegated zone. ``d839d11bf62`` When ``stale-answer-client-timeout 0`` option was enabled, it could be ignored when resolving a zone which is a delegation of an authoritative zone belonging to the resolver. This has been fixed. :gl:`#5275` :gl:`!10420` - Fix the ksr two-tone test. ``3e2b255b5b7`` The two-tone ksr subtest (test_ksr_twotone) depended on the dnssec-policy keys algorithm values in named.conf being entered in numerical order. As the algorithms used in the test can be selected randomly this does not always happen. Sort the dnssec-policy keys by algorithm when adding them to the key list from named.conf. :gl:`#5286` :gl:`!10435` - Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad`` The performance improvements for NSEC3 closest encloser lookups that were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 records to be returned in nonexistence proofs and were therefore reverted again. :gl:`#5292` :gl:`!10443` Signed-off-by: Adolf Belka --- config/rootfiles/common/bind | 10 +++++----- lfs/bind | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index 0beffd862..23d8cd20b 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -240,18 +240,18 @@ usr/bin/nsupdate #usr/include/ns/types.h #usr/include/ns/update.h #usr/include/ns/xfrout.h -usr/lib/libdns-9.20.8.so +usr/lib/libdns-9.20.9.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libisc-9.20.8.so +usr/lib/libisc-9.20.9.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.20.8.so +usr/lib/libisccc-9.20.9.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.20.8.so +usr/lib/libisccfg-9.20.9.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.20.8.so +usr/lib/libns-9.20.9.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index 330501460..6d448f728 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.20.8 +VER = 9.20.9 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = cc8f9de7cff23af113c48d365d41774f5141f937091b2f97e682104be03e64c86eb6f00a5f2e43ac4a3472c24b2909ca0d4cb82194cf4e8e510d5dded40ddd5a +$(DL_FILE)_BLAKE2 = 40a1428d2da9d92b3604f04234b2ff44701abcf2ea22883caea7fb4ee157547125fd68accb8fe10853ff64cd5018fa89e36eeb53021fa3ee9bc056e05ac228d6 install : $(TARGET) -- 2.49.0