From patchwork Thu Jan 26 19:40:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 6469 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4P2rfF2J39z3wcl for ; Thu, 26 Jan 2023 19:40:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4P2rfC0vGvzsw; Thu, 26 Jan 2023 19:40:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4P2rfB5x05z2yxG; Thu, 26 Jan 2023 19:40:34 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4P2rf96mxlz2yYZ for ; Thu, 26 Jan 2023 19:40:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4P2rf92Hf6zSN for ; Thu, 26 Jan 2023 19:40:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1674762033; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dgf4f0+gyNFd+DvvNR2ya61R26Deg1CKMvzRyfKJgYU=; b=rwmL7n/+T2x/7WGBlY2FCnlHgitrCBinp0CikqpgYUcjBIFWbMGZ2tAwH6/xRzbsCOF3Sw +MaMA0+HocTgxQ8efO8aBw02YkiIXBmFnRd63UBZZ74C3ROjx3vUEwlanqAK9VXDwOFnYo EouOE7/IO8HzMQJBxesA405lFC12qfNSCnRSlFOM/U7Lm3hfJLz6DTYEugDHDgtfw4D0Hw 19bOhsk3mqfL4/B/UuoYFzepBjmiS0UmheWPSNbGnlybkTVNbFEqFo2OKBWTMw6FaNaLJJ WZNhkGxHU4z9Z8H+mkf5nN+JOsxLpYh26zmNq4sMTp3R9mnePkCgQNusLI1SDg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1674762033; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dgf4f0+gyNFd+DvvNR2ya61R26Deg1CKMvzRyfKJgYU=; b=pPOodBhcek43wkvcig1s6JPb81/tPfkys5vPJMYuCouyD2we2hLadw59HIOOFadAGFT2BS Nyx/tDTkrSolVtCw== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] bind: Update to 9.16.37 Date: Thu, 26 Jan 2023 20:40:27 +0100 Message-Id: <20230126194027.3633455-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" For details for 9.16.36 and 9.16.37 see: https://downloads.isc.org/isc/bind9/9.16.37/doc/arm/html/notes.html#notes-for-bind-9-16-37 "Notes for BIND 9.16.37 Security Fixes An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). (CVE-2022-3094) ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. [GL #3523] named could crash with an assertion failure when an RRSIG query was received and stale-answer-client-timeout was set to a non-zero value. This has been fixed. (CVE-2022-3736) ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to our attention. [GL #3622] named running as a resolver with the stale-answer-client-timeout option set to any value greater than 0 could crash with an assertion failure, when the recursive-clients soft quota was reached. This has been fixed. (CVE-2022-3924) ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. [GL #3619] New Features The new update-quota option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. [GL #3523] Feature Changes The Differentiated Services Code Point (DSCP) feature in BIND has been deprecated. Configuring DSCP values in named.conf now causes a warning to be logged. Note that this feature has only been partly operational since the new Network Manager was introduced in BIND 9.16.0. [GL #3773] The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3744] Bug Fixes In certain query resolution scenarios (e.g. when following CNAME records), named configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. [GL #3678] ... Notes for BIND 9.16.36 Feature Changes The auto-dnssec option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667] Bug Fixes When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the named process to crash. This has been fixed. [GL #3683] When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. This has been fixed. [GL #3727] In certain cases, named waited for the resolution of outstanding recursive queries to finish before shutting down. This was unintended and has been fixed. [GL #3183] The zone /: final reference detached log message was moved from the INFO log level to the DEBUG(1) log level to prevent the named-checkzone tool from superfluously logging this message in non-debug mode. [GL #3707]" Signed-off-by: Matthias Fischer --- config/rootfiles/common/bind | 14 +++++++------- lfs/bind | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index 6a83df8ce..b926495d3 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -271,24 +271,24 @@ usr/bin/nsupdate #usr/include/pk11/site.h #usr/include/pkcs11 #usr/include/pkcs11/pkcs11.h -usr/lib/libbind9-9.16.35.so +usr/lib/libbind9-9.16.37.so #usr/lib/libbind9.la #usr/lib/libbind9.so -usr/lib/libdns-9.16.35.so +usr/lib/libdns-9.16.37.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libirs-9.16.35.so +usr/lib/libirs-9.16.37.so #usr/lib/libirs.la #usr/lib/libirs.so -usr/lib/libisc-9.16.35.so +usr/lib/libisc-9.16.37.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.16.35.so +usr/lib/libisccc-9.16.37.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.16.35.so +usr/lib/libisccfg-9.16.37.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.16.35.so +usr/lib/libns-9.16.37.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index 16fc9ba97..4ecceda97 100644 --- a/lfs/bind +++ b/lfs/bind @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config -VER = 9.16.35 +VER = 9.16.37 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = c3d23e939c882e9bebe2aa83d91ab40bfe8c4b9882890acdb0908d4bfe16f00a98b87ba9155da68e75936be5d057ec025efa80541bf86a08a5bb85e4b4bd10e2 +$(DL_FILE)_BLAKE2 = 3b18f7c780ce04e296498e30c09628ad8eb89f38afdb032700455f193a3f8556029cd2e3d3c42861965d5fc776f56f761b8d21a74a0f95d82338e65fb519acfb install : $(TARGET)