From patchwork Fri Sep 23 07:03:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 6009 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MYjm30rd3z3wcK for ; Fri, 23 Sep 2022 07:03:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MYjm03lnPz1YZ; Fri, 23 Sep 2022 07:03:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MYjm02LzMz2ybn; Fri, 23 Sep 2022 07:03:12 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MYjlz6zQSz2xKs for ; Fri, 23 Sep 2022 07:03:11 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MYjly6QLfzq1 for ; Fri, 23 Sep 2022 07:03:10 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1663916591; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=y1whfr5dXrBvC5PLHPMXSIexWM4rJRc5dzcUNmC9QC0=; b=n8QkcpZPCYGDiKFOC1P442akQs0jwhWZHLxvTIMsByYg5sZcietYZv3TFT58WWox3dkzgq ZDiiquzf5T5CWtCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1663916591; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=y1whfr5dXrBvC5PLHPMXSIexWM4rJRc5dzcUNmC9QC0=; b=fwaBEHZQxsFc20YVMP+ueRNVKn63djvcROUKFHf+9QZvuUPR/EeGJBb/51xkIsS97zN1pJ ywewnFuTYV2Qr+qd5TsIdOXtlbqvXImsov/HvSSRc0X/78O009OVBTPmDX4u4vzEXMbK5d blRAp/d7jD9tCWiQHpyUJ1I76OFA5zNdT0MQBkzbKHxiehPsB+SupwLpAZKpnbl9sZaM3U wUsA5gYafcQWAQrBEdzFMnY0C7GpmpRawdwVLCgiwrl6K5YRQFI1aLfVVOBkACi0ZI+4Ps cFGukwwSRGhmUPhdEL/dT45UaEVEpxzX+/M3TGeIABEIm70v4tDRzpCUyXTC5g== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] bind: Update to 9.16.33 Date: Fri, 23 Sep 2022 09:03:02 +0200 Message-Id: <20220923070302.4103660-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" For details see: https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33 "Security Fixes Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of named running as a recursive resolver. This has been fixed. (CVE-2022-2795) ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. [GL #3394] named running as a resolver with the stale-answer-client-timeout option set to 0 could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) [GL #3517] A memory leak was fixed that could be externally triggered in the DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL #3487] Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL #3487] Feature Changes Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. [GL #3459] Zones using dnssec-policy now require dynamic DNS or inline-signing to be configured explicitly. [GL #3381] A backward-compatible approach was implemented for encoding internationalized domain names (IDN) in dig and converting the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL #3485] Bug Fixes A serve-stale bug was fixed, where BIND would try to return stale data from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. [GL #2982]" Signed-off-by: Matthias Fischer Reviewed-by: Peter Müller --- config/rootfiles/common/bind | 17 +++++++---------- lfs/bind | 4 ++-- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index 5aea1853b..879f8c832 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -157,7 +157,6 @@ usr/bin/nsupdate #usr/include/isc/heap.h #usr/include/isc/hex.h #usr/include/isc/hmac.h -#usr/include/isc/hp.h #usr/include/isc/ht.h #usr/include/isc/httpd.h #usr/include/isc/interfaceiter.h @@ -175,7 +174,6 @@ usr/bin/nsupdate #usr/include/isc/mem.h #usr/include/isc/meminfo.h #usr/include/isc/mutex.h -#usr/include/isc/mutexatomic.h #usr/include/isc/mutexblock.h #usr/include/isc/net.h #usr/include/isc/netaddr.h @@ -191,7 +189,6 @@ usr/bin/nsupdate #usr/include/isc/pool.h #usr/include/isc/portset.h #usr/include/isc/print.h -#usr/include/isc/queue.h #usr/include/isc/quota.h #usr/include/isc/radix.h #usr/include/isc/random.h @@ -274,24 +271,24 @@ usr/bin/nsupdate #usr/include/pk11/site.h #usr/include/pkcs11 #usr/include/pkcs11/pkcs11.h -usr/lib/libbind9-9.16.32.so +usr/lib/libbind9-9.16.33.so #usr/lib/libbind9.la #usr/lib/libbind9.so -usr/lib/libdns-9.16.32.so +usr/lib/libdns-9.16.33.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libirs-9.16.32.so +usr/lib/libirs-9.16.33.so #usr/lib/libirs.la #usr/lib/libirs.so -usr/lib/libisc-9.16.32.so +usr/lib/libisc-9.16.33.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.16.32.so +usr/lib/libisccc-9.16.33.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.16.32.so +usr/lib/libisccfg-9.16.33.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.16.32.so +usr/lib/libns-9.16.33.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index bb5c26e1e..aeff480a2 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.16.32 +VER = 9.16.33 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = df6f2c878138015da580dfaf0e16b5a97b11ead9f99c1425a09da8484954196ea3dafb828ac3ab386200ce2b180646c7eb1e0e62a84c153162270a4a1e19a5fc +$(DL_FILE)_BLAKE2 = 4246b61ce91af3d494ace4b8065b4c0043b2cfaf28c6de326691a969837e7d1cfbc0dac6b1e1a5182fc32af68048abcfa1202d00022951f3caa13afb03ebeb69 install : $(TARGET)