From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] bind: Update to 9.11.32 Date: Sat, 22 May 2021 18:34:12 +0200 Message-ID: <31c0ccc5-59c8-6fc4-8ad3-dbaede013928@ipfire.org> In-Reply-To: <20210522132930.3598-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3995191504397611097==" List-Id: --===============3995191504397611097== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Reviewed-by: Peter Müller > For details see: > https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html > > "Notes for BIND 9.11.32 > Feature Changes > > DNSSEC responses containing NSEC3 records with iteration counts > greater than 150 are now treated as insecure. [GL #2445] > > The maximum supported number of NSEC3 iterations that can be > configured for a zone has been reduced to 150. [GL #2642] > > The implementation of the ZONEMD RR type has been updated to match > RFC 8976. [GL #2658] > > Notes for BIND 9.11.31 > Security Fixes > > A malformed incoming IXFR transfer could trigger an assertion > failure in named, causing it to quit abnormally. (CVE-2021-25214) > > ISC would like to thank Greg Kuechle of SaskTel for bringing this > vulnerability to our attention. [GL #2467] > > named crashed when a DNAME record placed in the ANSWER section > during DNAME chasing turned out to be the final answer to a client > query. (CVE-2021-25215) > > ISC would like to thank Siva Kakarla for bringing this vulnerability > to our attention. [GL #2540] > > When a server's configuration set the tkey-gssapi-keytab > or tkey-gssapi-credential option, a specially crafted GSS-TSIG query > could cause a buffer overflow in the ISC implementation of SPNEGO > (a protocol enabling negotiation of the security mechanism used for > GSSAPI authentication). This flaw could be exploited to crash named > binaries compiled for 64-bit platforms, and could enable remote code > execution when named was compiled for 32-bit platforms. > (CVE-2021-25216) > > This vulnerability was reported to us as ZDI-CAN-13347 by Trend > Micro Zero Day Initiative. [GL #2604] > > Feature Changes > > The ISC implementation of SPNEGO was removed from BIND 9 source > code. Instead, BIND 9 now always uses the SPNEGO implementation > provided by the system GSSAPI library when it is built with GSSAPI > support. All major contemporary Kerberos/GSSAPI libraries contain > an implementation of the SPNEGO mechanism. [GL #2607] > > Notes for BIND 9.11.30 > > The BIND 9.11.30 release was withdrawn after a backporting bug was > discovered during pre-release testing. ISC would like to acknowledge the > assistance of Natan Segal of Bluecat Networks.2" > > Signed-off-by: Matthias Fischer > --- > config/rootfiles/common/bind | 4 ++-- > lfs/bind | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind > index 7e1ecd48f..6fb228a5a 100644 > --- a/config/rootfiles/common/bind > +++ b/config/rootfiles/common/bind > @@ -272,8 +272,8 @@ usr/lib/libbind9.so.161 > usr/lib/libbind9.so.161.0.4 > #usr/lib/libdns.la > #usr/lib/libdns.so > -usr/lib/libdns.so.1113 > -usr/lib/libdns.so.1113.0.2 > +usr/lib/libdns.so.1115 > +usr/lib/libdns.so.1115.0.0 > #usr/lib/libisc.la > #usr/lib/libisc.so > usr/lib/libisc.so.1107 > diff --git a/lfs/bind b/lfs/bind > index c0c7c5ebf..0545066b7 100644 > --- a/lfs/bind > +++ b/lfs/bind > @@ -25,7 +25,7 @@ > > include Config > > -VER = 9.11.29 > +VER = 9.11.32 > > THISAPP = bind-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 439d5491dfea08be032a1f9ca5a54faa > +$(DL_FILE)_MD5 = 0d029dd06ca60c6739c3189c999ef757 > > install : $(TARGET) > > --===============3995191504397611097==--