For details see: https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-fo...
"Security Fixes
The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP sockets in the CLOSE_WAIT state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]
Feature Changes
DEBUG(1)-level messages were added when starting and ending the BIND 9 task-exclusive mode that stops normal DNS operation (e.g. for reconfiguration, interface scans, and other events that require exclusive access to a shared resource). [GL #3137]
Bug Fixes
The max-transfer-time-out and max-transfer-idle-out options were not implemented when the BIND 9 networking stack was refactored in 9.16. The missing functionality has been re-implemented and outgoing zone transfers now time out properly when not progressing. [GL #1897]
TCP connections could hang indefinitely if the other party did not read sent data, causing the TCP write buffers to fill. This has been fixed by adding a “write” timer. Connections that are hung while writing now time out after the tcp-idle-timeout period has elapsed. [GL #3132]
The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could be miscalculated in certain resolution scenarios, potentially causing the value of the counter to drop below zero. This has been fixed. [GL #3147]"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- config/rootfiles/common/bind | 14 +++++++------- lfs/bind | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index c0e56854a..df3df4f47 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -274,24 +274,24 @@ usr/bin/nsupdate #usr/include/pk11/site.h #usr/include/pkcs11 #usr/include/pkcs11/pkcs11.h -usr/lib/libbind9-9.16.26.so +usr/lib/libbind9-9.16.27.so #usr/lib/libbind9.la #usr/lib/libbind9.so -usr/lib/libdns-9.16.26.so +usr/lib/libdns-9.16.27.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libirs-9.16.26.so +usr/lib/libirs-9.16.27.so #usr/lib/libirs.la #usr/lib/libirs.so -usr/lib/libisc-9.16.26.so +usr/lib/libisc-9.16.27.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.16.26.so +usr/lib/libisccc-9.16.27.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.16.26.so +usr/lib/libisccfg-9.16.27.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.16.26.so +usr/lib/libns-9.16.27.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index 72c85f5f5..d8970a2af 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@
include Config
-VER = 9.16.26 +VER = 9.16.27
THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 799696f44e0d61659fa0efaa3c5fe5d8 +$(DL_FILE)_MD5 = db71eecaf698660da37581c42ce9f904
install : $(TARGET)
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 22 Mar 2022, at 17:32, Matthias Fischer matthias.fischer@ipfire.org wrote:
For details see: https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-fo...
"Security Fixes
The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP sockets in the CLOSE_WAIT state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]
Feature Changes
DEBUG(1)-level messages were added when starting and ending the BIND 9 task-exclusive mode that stops normal DNS operation (e.g. for reconfiguration, interface scans, and other events that require exclusive access to a shared resource). [GL #3137]
Bug Fixes
The max-transfer-time-out and max-transfer-idle-out options were not implemented when the BIND 9 networking stack was refactored in 9.16. The missing functionality has been re-implemented and outgoing zone transfers now time out properly when not progressing. [GL #1897]
TCP connections could hang indefinitely if the other party did not read sent data, causing the TCP write buffers to fill. This has been fixed by adding a “write” timer. Connections that are hung while writing now time out after the tcp-idle-timeout period has elapsed. [GL #3132]
The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could be miscalculated in certain resolution scenarios, potentially causing the value of the counter to drop below zero. This has been fixed. [GL #3147]"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
config/rootfiles/common/bind | 14 +++++++------- lfs/bind | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index c0e56854a..df3df4f47 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -274,24 +274,24 @@ usr/bin/nsupdate #usr/include/pk11/site.h #usr/include/pkcs11 #usr/include/pkcs11/pkcs11.h -usr/lib/libbind9-9.16.26.so +usr/lib/libbind9-9.16.27.so #usr/lib/libbind9.la #usr/lib/libbind9.so -usr/lib/libdns-9.16.26.so +usr/lib/libdns-9.16.27.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libirs-9.16.26.so +usr/lib/libirs-9.16.27.so #usr/lib/libirs.la #usr/lib/libirs.so -usr/lib/libisc-9.16.26.so +usr/lib/libisc-9.16.27.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.16.26.so +usr/lib/libisccc-9.16.27.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.16.26.so +usr/lib/libisccfg-9.16.27.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.16.26.so +usr/lib/libns-9.16.27.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index 72c85f5f5..d8970a2af 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@
include Config
-VER = 9.16.26 +VER = 9.16.27
THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 799696f44e0d61659fa0efaa3c5fe5d8 +$(DL_FILE)_MD5 = db71eecaf698660da37581c42ce9f904
install : $(TARGET)
-- 2.25.1
-
Matthias Fischer -
Michael Tremer