diff mbox series

bind: Update to 9.16.33

Message ID 20220923070302.4103660-1-matthias.fischer@ipfire.org
State Accepted
Commit abb32f5e608d3e5f0c3176a4087426affbc860a3
Headers
Series bind: Update to 9.16.33 |

Commit Message

Matthias Fischer Sept. 23, 2022, 7:03 a.m. UTC 
  For details see:
https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33

"Security Fixes

    Previously, there was no limit to the number of database lookups
    performed while processing large delegations, which could be abused to
    severely impact the performance of named running as a recursive
    resolver. This has been fixed. (CVE-2022-2795)

    ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
    Bremler-Barr & Shani Stajnrod from Reichman University for bringing
    this vulnerability to our attention. [GL #3394]

    named running as a resolver with the stale-answer-client-timeout option
    set to 0 could crash with an assertion failure, when there was a stale
    CNAME in the cache for the incoming query. This has been fixed.
    (CVE-2022-3080) [GL #3517]

    A memory leak was fixed that could be externally triggered in the
    DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
    #3487]

    Memory leaks were fixed that could be externally triggered in the
    DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
    #3487]

Feature Changes

    Response Rate Limiting (RRL) code now treats all QNAMEs that are
    subject to wildcard processing within a given zone as the same name, to
    prevent circumventing the limits enforced by RRL. [GL #3459]

    Zones using dnssec-policy now require dynamic DNS or inline-signing to
    be configured explicitly. [GL #3381]

    A backward-compatible approach was implemented for encoding
    internationalized domain names (IDN) in dig and converting the domain
    to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
    #3485]

Bug Fixes

    A serve-stale bug was fixed, where BIND would try to return stale data
    from cache for lookups that received duplicate queries or queries that
    would be dropped. This bug resulted in premature SERVFAIL responses,
    and has now been resolved. [GL #2982]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/bind | 17 +++++++----------
 lfs/bind                     |  4 ++--
 2 files changed, 9 insertions(+), 12 deletions(-)

Comments

Peter Müller Sept. 23, 2022, 10:32 a.m. UTC | #1 
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> For details see:
> https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
> 
> "Security Fixes
> 
>     Previously, there was no limit to the number of database lookups
>     performed while processing large delegations, which could be abused to
>     severely impact the performance of named running as a recursive
>     resolver. This has been fixed. (CVE-2022-2795)
> 
>     ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
>     Bremler-Barr & Shani Stajnrod from Reichman University for bringing
>     this vulnerability to our attention. [GL #3394]
> 
>     named running as a resolver with the stale-answer-client-timeout option
>     set to 0 could crash with an assertion failure, when there was a stale
>     CNAME in the cache for the incoming query. This has been fixed.
>     (CVE-2022-3080) [GL #3517]
> 
>     A memory leak was fixed that could be externally triggered in the
>     DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
>     #3487]
> 
>     Memory leaks were fixed that could be externally triggered in the
>     DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
>     #3487]
> 
> Feature Changes
> 
>     Response Rate Limiting (RRL) code now treats all QNAMEs that are
>     subject to wildcard processing within a given zone as the same name, to
>     prevent circumventing the limits enforced by RRL. [GL #3459]
> 
>     Zones using dnssec-policy now require dynamic DNS or inline-signing to
>     be configured explicitly. [GL #3381]
> 
>     A backward-compatible approach was implemented for encoding
>     internationalized domain names (IDN) in dig and converting the domain
>     to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
>     #3485]
> 
> Bug Fixes
> 
>     A serve-stale bug was fixed, where BIND would try to return stale data
>     from cache for lookups that received duplicate queries or queries that
>     would be dropped. This bug resulted in premature SERVFAIL responses,
>     and has now been resolved. [GL #2982]"
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
>  config/rootfiles/common/bind | 17 +++++++----------
>  lfs/bind                     |  4 ++--
>  2 files changed, 9 insertions(+), 12 deletions(-)
> 
> diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
> index 5aea1853b..879f8c832 100644
> --- a/config/rootfiles/common/bind
> +++ b/config/rootfiles/common/bind
> @@ -157,7 +157,6 @@ usr/bin/nsupdate
>  #usr/include/isc/heap.h
>  #usr/include/isc/hex.h
>  #usr/include/isc/hmac.h
> -#usr/include/isc/hp.h
>  #usr/include/isc/ht.h
>  #usr/include/isc/httpd.h
>  #usr/include/isc/interfaceiter.h
> @@ -175,7 +174,6 @@ usr/bin/nsupdate
>  #usr/include/isc/mem.h
>  #usr/include/isc/meminfo.h
>  #usr/include/isc/mutex.h
> -#usr/include/isc/mutexatomic.h
>  #usr/include/isc/mutexblock.h
>  #usr/include/isc/net.h
>  #usr/include/isc/netaddr.h
> @@ -191,7 +189,6 @@ usr/bin/nsupdate
>  #usr/include/isc/pool.h
>  #usr/include/isc/portset.h
>  #usr/include/isc/print.h
> -#usr/include/isc/queue.h
>  #usr/include/isc/quota.h
>  #usr/include/isc/radix.h
>  #usr/include/isc/random.h
> @@ -274,24 +271,24 @@ usr/bin/nsupdate
>  #usr/include/pk11/site.h
>  #usr/include/pkcs11
>  #usr/include/pkcs11/pkcs11.h
> -usr/lib/libbind9-9.16.32.so
> +usr/lib/libbind9-9.16.33.so
>  #usr/lib/libbind9.la
>  #usr/lib/libbind9.so
> -usr/lib/libdns-9.16.32.so
> +usr/lib/libdns-9.16.33.so
>  #usr/lib/libdns.la
>  #usr/lib/libdns.so
> -usr/lib/libirs-9.16.32.so
> +usr/lib/libirs-9.16.33.so
>  #usr/lib/libirs.la
>  #usr/lib/libirs.so
> -usr/lib/libisc-9.16.32.so
> +usr/lib/libisc-9.16.33.so
>  #usr/lib/libisc.la
>  #usr/lib/libisc.so
> -usr/lib/libisccc-9.16.32.so
> +usr/lib/libisccc-9.16.33.so
>  #usr/lib/libisccc.la
>  #usr/lib/libisccc.so
> -usr/lib/libisccfg-9.16.32.so
> +usr/lib/libisccfg-9.16.33.so
>  #usr/lib/libisccfg.la
>  #usr/lib/libisccfg.so
> -usr/lib/libns-9.16.32.so
> +usr/lib/libns-9.16.33.so
>  #usr/lib/libns.la
>  #usr/lib/libns.so
> diff --git a/lfs/bind b/lfs/bind
> index bb5c26e1e..aeff480a2 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
>  
>  include Config
>  
> -VER        = 9.16.32
> +VER        = 9.16.33
>  
>  THISAPP    = bind-$(VER)
>  DL_FILE    = $(THISAPP).tar.xz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = df6f2c878138015da580dfaf0e16b5a97b11ead9f99c1425a09da8484954196ea3dafb828ac3ab386200ce2b180646c7eb1e0e62a84c153162270a4a1e19a5fc
> +$(DL_FILE)_BLAKE2 = 4246b61ce91af3d494ace4b8065b4c0043b2cfaf28c6de326691a969837e7d1cfbc0dac6b1e1a5182fc32af68048abcfa1202d00022951f3caa13afb03ebeb69
>  
>  install : $(TARGET)
>
diff mbox series

Patch

diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 5aea1853b..879f8c832 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -157,7 +157,6 @@  usr/bin/nsupdate
 #usr/include/isc/heap.h
 #usr/include/isc/hex.h
 #usr/include/isc/hmac.h
-#usr/include/isc/hp.h
 #usr/include/isc/ht.h
 #usr/include/isc/httpd.h
 #usr/include/isc/interfaceiter.h
@@ -175,7 +174,6 @@  usr/bin/nsupdate
 #usr/include/isc/mem.h
 #usr/include/isc/meminfo.h
 #usr/include/isc/mutex.h
-#usr/include/isc/mutexatomic.h
 #usr/include/isc/mutexblock.h
 #usr/include/isc/net.h
 #usr/include/isc/netaddr.h
@@ -191,7 +189,6 @@  usr/bin/nsupdate
 #usr/include/isc/pool.h
 #usr/include/isc/portset.h
 #usr/include/isc/print.h
-#usr/include/isc/queue.h
 #usr/include/isc/quota.h
 #usr/include/isc/radix.h
 #usr/include/isc/random.h
@@ -274,24 +271,24 @@  usr/bin/nsupdate
 #usr/include/pk11/site.h
 #usr/include/pkcs11
 #usr/include/pkcs11/pkcs11.h
-usr/lib/libbind9-9.16.32.so
+usr/lib/libbind9-9.16.33.so
 #usr/lib/libbind9.la
 #usr/lib/libbind9.so
-usr/lib/libdns-9.16.32.so
+usr/lib/libdns-9.16.33.so
 #usr/lib/libdns.la
 #usr/lib/libdns.so
-usr/lib/libirs-9.16.32.so
+usr/lib/libirs-9.16.33.so
 #usr/lib/libirs.la
 #usr/lib/libirs.so
-usr/lib/libisc-9.16.32.so
+usr/lib/libisc-9.16.33.so
 #usr/lib/libisc.la
 #usr/lib/libisc.so
-usr/lib/libisccc-9.16.32.so
+usr/lib/libisccc-9.16.33.so
 #usr/lib/libisccc.la
 #usr/lib/libisccc.so
-usr/lib/libisccfg-9.16.32.so
+usr/lib/libisccfg-9.16.33.so
 #usr/lib/libisccfg.la
 #usr/lib/libisccfg.so
-usr/lib/libns-9.16.32.so
+usr/lib/libns-9.16.33.so
 #usr/lib/libns.la
 #usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index bb5c26e1e..aeff480a2 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@ 
 
 include Config
 
-VER        = 9.16.32
+VER        = 9.16.33
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = df6f2c878138015da580dfaf0e16b5a97b11ead9f99c1425a09da8484954196ea3dafb828ac3ab386200ce2b180646c7eb1e0e62a84c153162270a4a1e19a5fc
+$(DL_FILE)_BLAKE2 = 4246b61ce91af3d494ace4b8065b4c0043b2cfaf28c6de326691a969837e7d1cfbc0dac6b1e1a5182fc32af68048abcfa1202d00022951f3caa13afb03ebeb69
 
 install : $(TARGET)