Reviewed-by: Peter Müller > For details see: > https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html > > "Notes for BIND 9.11.32 > Feature Changes > > DNSSEC responses containing NSEC3 records with iteration counts > greater than 150 are now treated as insecure. [GL #2445] > > The maximum supported number of NSEC3 iterations that can be > configured for a zone has been reduced to 150. [GL #2642] > > The implementation of the ZONEMD RR type has been updated to match > RFC 8976. [GL #2658] > > Notes for BIND 9.11.31 > Security Fixes > > A malformed incoming IXFR transfer could trigger an assertion > failure in named, causing it to quit abnormally. (CVE-2021-25214) > > ISC would like to thank Greg Kuechle of SaskTel for bringing this > vulnerability to our attention. [GL #2467] > > named crashed when a DNAME record placed in the ANSWER section > during DNAME chasing turned out to be the final answer to a client > query. (CVE-2021-25215) > > ISC would like to thank Siva Kakarla for bringing this vulnerability > to our attention. [GL #2540] > > When a server's configuration set the tkey-gssapi-keytab > or tkey-gssapi-credential option, a specially crafted GSS-TSIG query > could cause a buffer overflow in the ISC implementation of SPNEGO > (a protocol enabling negotiation of the security mechanism used for > GSSAPI authentication). This flaw could be exploited to crash named > binaries compiled for 64-bit platforms, and could enable remote code > execution when named was compiled for 32-bit platforms. > (CVE-2021-25216) > > This vulnerability was reported to us as ZDI-CAN-13347 by Trend > Micro Zero Day Initiative. [GL #2604] > > Feature Changes > > The ISC implementation of SPNEGO was removed from BIND 9 source > code. Instead, BIND 9 now always uses the SPNEGO implementation > provided by the system GSSAPI library when it is built with GSSAPI > support. All major contemporary Kerberos/GSSAPI libraries contain > an implementation of the SPNEGO mechanism. [GL #2607] > > Notes for BIND 9.11.30 > > The BIND 9.11.30 release was withdrawn after a backporting bug was > discovered during pre-release testing. ISC would like to acknowledge the > assistance of Natan Segal of Bluecat Networks.2" > > Signed-off-by: Matthias Fischer > --- > config/rootfiles/common/bind | 4 ++-- > lfs/bind | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind > index 7e1ecd48f..6fb228a5a 100644 > --- a/config/rootfiles/common/bind > +++ b/config/rootfiles/common/bind > @@ -272,8 +272,8 @@ usr/lib/libbind9.so.161 > usr/lib/libbind9.so.161.0.4 > #usr/lib/libdns.la > #usr/lib/libdns.so > -usr/lib/libdns.so.1113 > -usr/lib/libdns.so.1113.0.2 > +usr/lib/libdns.so.1115 > +usr/lib/libdns.so.1115.0.0 > #usr/lib/libisc.la > #usr/lib/libisc.so > usr/lib/libisc.so.1107 > diff --git a/lfs/bind b/lfs/bind > index c0c7c5ebf..0545066b7 100644 > --- a/lfs/bind > +++ b/lfs/bind > @@ -25,7 +25,7 @@ > > include Config > > -VER = 9.11.29 > +VER = 9.11.32 > > THISAPP = bind-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 439d5491dfea08be032a1f9ca5a54faa > +$(DL_FILE)_MD5 = 0d029dd06ca60c6739c3189c999ef757 > > install : $(TARGET) > >