From patchwork Sat May 22 13:29:30 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Matthias Fischer <matthias.fischer@ipfire.org>
X-Patchwork-Id: 4360
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FnPTZ1b76z3wbl
	for <patchwork@web04.haj.ipfire.org>; Sat, 22 May 2021 13:29:38 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4FnPTY18mZz5P9;
	Sat, 22 May 2021 13:29:37 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FnPTX4LlVz2xTN;
	Sat, 22 May 2021 13:29:36 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FnPTV5cvsz2xNt
 for <development@lists.ipfire.org>; Sat, 22 May 2021 13:29:34 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4FnPTV1Kc2z1TL
 for <development@lists.ipfire.org>; Sat, 22 May 2021 13:29:34 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1621690174;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc; bh=2hrbxsy+A9pFL5ugP6bdfwZ9C5brSje6gLa3ZI7bWWk=;
 b=GnDshexu5I0hWbagicpFr4jdnt6EF3Sg3UdRrlkSJ9+votjtcEzAKXLl123tAyjd7GWaRo
 Moz1dvB8uKgNiXBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1621690174;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc; bh=2hrbxsy+A9pFL5ugP6bdfwZ9C5brSje6gLa3ZI7bWWk=;
 b=SC2fWv/zTBUgB30lGArRH2aD8zodMskzHrVjbNVv7iNFve0kyL5k0c89jZqEX6awHUZBg0
 LdBAhuGk4K5cD4ij/YWKNU40XIV5O1/MApTss3MImS5BKb1vZ06bz+c1r/w9gRwRmPTZxv
 7rRAJob5T6XtuXxc7LIKbjS88DDw1x0S7E/UMjenpjb86ndasH9YtrGkvRiM+85cOI5aTA
 RbE13CiMBybYa6vcTkLgpWDxNLYkdUPUmIIIl2BG8XanrBi6+smeU2BQcbQnScvkrDHLeH
 yConBjwrwySFHHWJi6xmBX1fSPoLwGDh9193nIXi77mLmEqPGlBD/UEA/Z902g==
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] bind: Update to 9.11.32
Date: Sat, 22 May 2021 15:29:30 +0200
Message-Id: <20210522132930.3598-1-matthias.fischer@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

For details see:
https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html

"Notes for BIND 9.11.32
Feature Changes

    DNSSEC responses containing NSEC3 records with iteration counts
    greater than 150 are now treated as insecure. [GL #2445]

    The maximum supported number of NSEC3 iterations that can be
    configured for a zone has been reduced to 150. [GL #2642]

    The implementation of the ZONEMD RR type has been updated to match
    RFC 8976. [GL #2658]

Notes for BIND 9.11.31
Security Fixes

    A malformed incoming IXFR transfer could trigger an assertion
    failure in named, causing it to quit abnormally. (CVE-2021-25214)

    ISC would like to thank Greg Kuechle of SaskTel for bringing this
    vulnerability to our attention. [GL #2467]

    named crashed when a DNAME record placed in the ANSWER section
    during DNAME chasing turned out to be the final answer to a client
    query. (CVE-2021-25215)

    ISC would like to thank Siva Kakarla for bringing this vulnerability
    to our attention. [GL #2540]

    When a server's configuration set the tkey-gssapi-keytab
    or tkey-gssapi-credential option, a specially crafted GSS-TSIG query
    could cause a buffer overflow in the ISC implementation of SPNEGO
    (a protocol enabling negotiation of the security mechanism used for
    GSSAPI authentication). This flaw could be exploited to crash named
    binaries compiled for 64-bit platforms, and could enable remote code
    execution when named was compiled for 32-bit platforms.
    (CVE-2021-25216)

    This vulnerability was reported to us as ZDI-CAN-13347 by Trend
    Micro Zero Day Initiative. [GL #2604]

Feature Changes

    The ISC implementation of SPNEGO was removed from BIND 9 source
    code. Instead, BIND 9 now always uses the SPNEGO implementation
    provided by the system GSSAPI library when it is built with GSSAPI
    support. All major contemporary Kerberos/GSSAPI libraries contain
    an implementation of the SPNEGO mechanism. [GL #2607]

Notes for BIND 9.11.30

The BIND 9.11.30 release was withdrawn after a backporting bug was
discovered during pre-release testing. ISC would like to acknowledge the
assistance of Natan Segal of Bluecat Networks.2"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/rootfiles/common/bind | 4 ++--
 lfs/bind                     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 7e1ecd48f..6fb228a5a 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -272,8 +272,8 @@ usr/lib/libbind9.so.161
 usr/lib/libbind9.so.161.0.4
 #usr/lib/libdns.la
 #usr/lib/libdns.so
-usr/lib/libdns.so.1113
-usr/lib/libdns.so.1113.0.2
+usr/lib/libdns.so.1115
+usr/lib/libdns.so.1115.0.0
 #usr/lib/libisc.la
 #usr/lib/libisc.so
 usr/lib/libisc.so.1107
diff --git a/lfs/bind b/lfs/bind
index c0c7c5ebf..0545066b7 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 9.11.29
+VER        = 9.11.32
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 439d5491dfea08be032a1f9ca5a54faa
+$(DL_FILE)_MD5 = 0d029dd06ca60c6739c3189c999ef757
 
 install : $(TARGET)