bind: Update to 9.16.27

  For details see:
https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-for-bind-9-16-27

"Security Fixes

    The rules for acceptance of records into the cache have been
    tightened to prevent the possibility of poisoning if forwarders send
    records outside the configured bailiwick. (CVE-2021-25220)

    ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
    Network and Information Security Lab, Tsinghua University, and
    Changgen Zou from Qi An Xin Group Corp. for bringing this
    vulnerability to our attention. [GL #2950]

    TCP connections with keep-response-order enabled could leave the TCP
    sockets in the CLOSE_WAIT state when the client did not properly
    shut down the connection. (CVE-2022-0396) [GL #3112]

Feature Changes

    DEBUG(1)-level messages were added when starting and ending the BIND
    9 task-exclusive mode that stops normal DNS operation (e.g. for
    reconfiguration, interface scans, and other events that require
    exclusive access to a shared resource). [GL #3137]

Bug Fixes

    The max-transfer-time-out and max-transfer-idle-out options were not
    implemented when the BIND 9 networking stack was refactored in 9.16.
    The missing functionality has been re-implemented and outgoing zone
    transfers now time out properly when not progressing. [GL #1897]

    TCP connections could hang indefinitely if the other party did not
    read sent data, causing the TCP write buffers to fill. This has been
    fixed by adding a “write” timer. Connections that are hung while
    writing now time out after the tcp-idle-timeout period has elapsed.
    [GL #3132]

    The statistics counter representing the current number of clients
    awaiting recursive resolution results (RecursClients) could
    be miscalculated in certain resolution scenarios, potentially
    causing the value of the counter to drop below zero. This has been
    fixed. [GL #3147]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/bind | 14 +++++++-------
 lfs/bind                     |  4 ++--
 2 files changed, 9 insertions(+), 9 deletions(-)
  

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 22 Mar 2022, at 17:32, Matthias Fischer <matthias.fischer@ipfire.org> wrote:
> 
> For details see:
> https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-for-bind-9-16-27
> 
> "Security Fixes
> 
>    The rules for acceptance of records into the cache have been
>    tightened to prevent the possibility of poisoning if forwarders send
>    records outside the configured bailiwick. (CVE-2021-25220)
> 
>    ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
>    Network and Information Security Lab, Tsinghua University, and
>    Changgen Zou from Qi An Xin Group Corp. for bringing this
>    vulnerability to our attention. [GL #2950]
> 
>    TCP connections with keep-response-order enabled could leave the TCP
>    sockets in the CLOSE_WAIT state when the client did not properly
>    shut down the connection. (CVE-2022-0396) [GL #3112]
> 
> Feature Changes
> 
>    DEBUG(1)-level messages were added when starting and ending the BIND
>    9 task-exclusive mode that stops normal DNS operation (e.g. for
>    reconfiguration, interface scans, and other events that require
>    exclusive access to a shared resource). [GL #3137]
> 
> Bug Fixes
> 
>    The max-transfer-time-out and max-transfer-idle-out options were not
>    implemented when the BIND 9 networking stack was refactored in 9.16.
>    The missing functionality has been re-implemented and outgoing zone
>    transfers now time out properly when not progressing. [GL #1897]
> 
>    TCP connections could hang indefinitely if the other party did not
>    read sent data, causing the TCP write buffers to fill. This has been
>    fixed by adding a “write” timer. Connections that are hung while
>    writing now time out after the tcp-idle-timeout period has elapsed.
>    [GL #3132]
> 
>    The statistics counter representing the current number of clients
>    awaiting recursive resolution results (RecursClients) could
>    be miscalculated in certain resolution scenarios, potentially
>    causing the value of the counter to drop below zero. This has been
>    fixed. [GL #3147]"
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> config/rootfiles/common/bind | 14 +++++++-------
> lfs/bind                     |  4 ++--
> 2 files changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
> index c0e56854a..df3df4f47 100644
> --- a/config/rootfiles/common/bind
> +++ b/config/rootfiles/common/bind
> @@ -274,24 +274,24 @@ usr/bin/nsupdate
> #usr/include/pk11/site.h
> #usr/include/pkcs11
> #usr/include/pkcs11/pkcs11.h
> -usr/lib/libbind9-9.16.26.so
> +usr/lib/libbind9-9.16.27.so
> #usr/lib/libbind9.la
> #usr/lib/libbind9.so
> -usr/lib/libdns-9.16.26.so
> +usr/lib/libdns-9.16.27.so
> #usr/lib/libdns.la
> #usr/lib/libdns.so
> -usr/lib/libirs-9.16.26.so
> +usr/lib/libirs-9.16.27.so
> #usr/lib/libirs.la
> #usr/lib/libirs.so
> -usr/lib/libisc-9.16.26.so
> +usr/lib/libisc-9.16.27.so
> #usr/lib/libisc.la
> #usr/lib/libisc.so
> -usr/lib/libisccc-9.16.26.so
> +usr/lib/libisccc-9.16.27.so
> #usr/lib/libisccc.la
> #usr/lib/libisccc.so
> -usr/lib/libisccfg-9.16.26.so
> +usr/lib/libisccfg-9.16.27.so
> #usr/lib/libisccfg.la
> #usr/lib/libisccfg.so
> -usr/lib/libns-9.16.26.so
> +usr/lib/libns-9.16.27.so
> #usr/lib/libns.la
> #usr/lib/libns.so
> diff --git a/lfs/bind b/lfs/bind
> index 72c85f5f5..d8970a2af 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
> 
> include Config
> 
> -VER        = 9.16.26
> +VER        = 9.16.27
> 
> THISAPP    = bind-$(VER)
> DL_FILE    = $(THISAPP).tar.xz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = 799696f44e0d61659fa0efaa3c5fe5d8
> +$(DL_FILE)_MD5 = db71eecaf698660da37581c42ce9f904
> 
> install : $(TARGET)
> 
> -- 
> 2.25.1
>