Re: [PATCH] bind: Update to 9.11.32

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3599 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> For details see:
> https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html
> 
> "Notes for BIND 9.11.32
> Feature Changes
> 
>     DNSSEC responses containing NSEC3 records with iteration counts
>     greater than 150 are now treated as insecure. [GL #2445]
> 
>     The maximum supported number of NSEC3 iterations that can be
>     configured for a zone has been reduced to 150. [GL #2642]
> 
>     The implementation of the ZONEMD RR type has been updated to match
>     RFC 8976. [GL #2658]
> 
> Notes for BIND 9.11.31
> Security Fixes
> 
>     A malformed incoming IXFR transfer could trigger an assertion
>     failure in named, causing it to quit abnormally. (CVE-2021-25214)
> 
>     ISC would like to thank Greg Kuechle of SaskTel for bringing this
>     vulnerability to our attention. [GL #2467]
> 
>     named crashed when a DNAME record placed in the ANSWER section
>     during DNAME chasing turned out to be the final answer to a client
>     query. (CVE-2021-25215)
> 
>     ISC would like to thank Siva Kakarla for bringing this vulnerability
>     to our attention. [GL #2540]
> 
>     When a server's configuration set the tkey-gssapi-keytab
>     or tkey-gssapi-credential option, a specially crafted GSS-TSIG query
>     could cause a buffer overflow in the ISC implementation of SPNEGO
>     (a protocol enabling negotiation of the security mechanism used for
>     GSSAPI authentication). This flaw could be exploited to crash named
>     binaries compiled for 64-bit platforms, and could enable remote code
>     execution when named was compiled for 32-bit platforms.
>     (CVE-2021-25216)
> 
>     This vulnerability was reported to us as ZDI-CAN-13347 by Trend
>     Micro Zero Day Initiative. [GL #2604]
> 
> Feature Changes
> 
>     The ISC implementation of SPNEGO was removed from BIND 9 source
>     code. Instead, BIND 9 now always uses the SPNEGO implementation
>     provided by the system GSSAPI library when it is built with GSSAPI
>     support. All major contemporary Kerberos/GSSAPI libraries contain
>     an implementation of the SPNEGO mechanism. [GL #2607]
> 
> Notes for BIND 9.11.30
> 
> The BIND 9.11.30 release was withdrawn after a backporting bug was
> discovered during pre-release testing. ISC would like to acknowledge the
> assistance of Natan Segal of Bluecat Networks.2"
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  config/rootfiles/common/bind | 4 ++--
>  lfs/bind                     | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
> index 7e1ecd48f..6fb228a5a 100644
> --- a/config/rootfiles/common/bind
> +++ b/config/rootfiles/common/bind
> @@ -272,8 +272,8 @@ usr/lib/libbind9.so.161
>  usr/lib/libbind9.so.161.0.4
>  #usr/lib/libdns.la
>  #usr/lib/libdns.so
> -usr/lib/libdns.so.1113
> -usr/lib/libdns.so.1113.0.2
> +usr/lib/libdns.so.1115
> +usr/lib/libdns.so.1115.0.0
>  #usr/lib/libisc.la
>  #usr/lib/libisc.so
>  usr/lib/libisc.so.1107
> diff --git a/lfs/bind b/lfs/bind
> index c0c7c5ebf..0545066b7 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
>  
>  include Config
>  
> -VER        = 9.11.29
> +VER        = 9.11.32
>  
>  THISAPP    = bind-$(VER)
>  DL_FILE    = $(THISAPP).tar.gz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 439d5491dfea08be032a1f9ca5a54faa
> +$(DL_FILE)_MD5 = 0d029dd06ca60c6739c3189c999ef757
>  
>  install : $(TARGET)
>  
>