Commit Message
For details see:
https://downloads.isc.org/isc/bind9/9.20.22/doc/arm/html/notes.html#notes-for-bind-9-20-22
"Notes for BIND 9.20.22
Security Fixes
Fix crash when reconfiguring zone update policy during active updates.
We fixed a crash that could occur when running rndc reconfig to change
a zone's update policy (e.g., from allow-update to update-policy) while
DNS UPDATE requests were being processed for that zone.
ISC would like to thank Vitaly Simonovich for bringing this issue to
our attention. [GL #5817]
Bug Fixes
Fix intermittent named crashes during asynchronous zone operations.
Asynchronous zone loading and dumping operations occasionally
dispatched tasks to the wrong internal event loop. This threading
violation triggered internal safety assertions that abruptly terminated
named. Strict loop affinity is now enforced for these tasks, ensuring
they execute on their designated threads and preventing the crashes.
[GL #4882]
Count temporal problems with DNSSEC validation as attempts.
After the KeyTrap vulnerability (CVE-2023-50387), any temporal DNSSEC
errors were originally hard errors that caused validation failures,
even if the records had another valid signature. This has been changed;
RRSIGs outside of the inception and expiration time are not counted as
hard errors. However, these errors were not even counted as validation
attempts, so an excessive number of expired RRSIGs would cause some
non-cryptographic extra work for the validator. This has been fixed and
the temporal errors are now correctly counted as validation attempts.
[GL #5760]
Fix a possible deadlock in RPZ processing.
The named process could hang when processing a maliciously crafted
update for a response policy zone (RPZ). This has been fixed. [GL
#5775]
Fix a crash triggered by rndc modzone on a zone from a configuration
file.
Calling rndc modzone on a zone that was configured in the configuration
file caused a crash. This has been fixed. [GL #5800]
Fix the processing of empty catalog zone ACLs.
The named process could terminate unexpectedly when processing a
catalog zone ACL in an APL resource record that was completely empty.
This has been fixed. [GL #5801]
Fix a crash triggered by rndc modzone on zone that already existed in
NZF file.
Calling rndc modzone didn't work properly for a zone that was
configured in the configuration file. It could crash if BIND 9 was
built without LMDB or if there was already an NZF file for the zone.
This has been fixed. [GL #5826]
Fix potential resource leak during resolver error handling.
Under specific error conditions during query processing, resources were
not being properly released, which could eventually lead to unnecessary
memory consumption for the server. A potential resource leak in the
resolver has been fixed. [GL !11658]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/rootfiles/common/bind | 10 +++++-----
lfs/bind | 4 ++--
2 files changed, 7 insertions(+), 7 deletions(-)
@@ -241,18 +241,18 @@ usr/bin/nsupdate
#usr/include/ns/types.h
#usr/include/ns/update.h
#usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.21.so
+usr/lib/libdns-9.20.22.so
#usr/lib/libdns.la
#usr/lib/libdns.so
-usr/lib/libisc-9.20.21.so
+usr/lib/libisc-9.20.22.so
#usr/lib/libisc.la
#usr/lib/libisc.so
-usr/lib/libisccc-9.20.21.so
+usr/lib/libisccc-9.20.22.so
#usr/lib/libisccc.la
#usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.21.so
+usr/lib/libisccfg-9.20.22.so
#usr/lib/libisccfg.la
#usr/lib/libisccfg.so
-usr/lib/libns-9.20.21.so
+usr/lib/libns-9.20.22.so
#usr/lib/libns.la
#usr/lib/libns.so
@@ -25,7 +25,7 @@
include Config
-VER = 9.20.21
+VER = 9.20.22
THISAPP = bind-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 20c2acac40242516da10cc8e45074de3d5d8906e4c4e216f6d69cba0585816aba4ec77adda8142294623eef5b045ec64cc8a18c721ece6af939741903558454b
+$(DL_FILE)_BLAKE2 = 74537646d8c08c4874548b064ab62bab3721d22e2654feed54ea0b61c087018b24f725d0cfaf8298bc71a1be280c753c86449b13e5d9ec26f84ba7e9f61b7a5a
install : $(TARGET)