Accepting request 1112571 from network

- Update to release 9.18.19
  Security Fixes:
  * Previously, sending a specially crafted message over the
    control channel could cause the packet-parsing code to run out
    of available stack memory, causing named to terminate
    unexpectedly. This has been fixed. (CVE-2023-3341)
    [bsc#1215472]
  * A flaw in the networking code handling DNS-over-TLS queries
    could cause named to terminate unexpectedly due to an assertion
    failure under significant DNS-over-TLS query load. This has
    been fixed. (CVE-2023-4236)
    [bsc#1215471]
  Removed Features:
  * The dnssec-must-be-secure option has been deprecated and will
    be removed in a future release.
  Feature Changes:
  * If the server command is specified, nsupdate now honors the
    nsupdate -v option for SOA queries by sending both the UPDATE
    request and the initial query over TCP.
  Bug Fixes:
  * The value of the If-Modified-Since header in the statistics
    channel was not being correctly validated for its length,
    potentially allowing an authorized user to trigger a buffer
    overflow. Ensuring the statistics channel is configured
    correctly to grant access exclusively to authorized users is
    essential (see the statistics-channels block definition and
    usage section).
  * The Content-Length header in the statistics channel was lacking
    proper bounds checking. A negative or excessively large value
    could potentially trigger an integer overflow and result in an
    assertion failure.
  * Several memory leaks caused by not clearing the OpenSSL error
    stack were fixed.
  * The introduction of krb5-subdomain-self-rhs and
    ms-subdomain-self-rhs UPDATE policies accidentally caused named
    to return SERVFAIL responses to deletion requests for
    non-existent PTR and SRV records. This has been fixed.
  * The stale-refresh-time feature was mistakenly disabled when the
    server cache was flushed by rndc flush. This has been fixed.
  * BIND’s memory consumption has been improved by implementing
    dedicated jemalloc memory arenas for sending buffers. This
    optimization ensures that memory usage is more efficient and
    better manages the return of memory pages to the operating
    system.
  * Previously, partial writes in the TLS DNS code were not
    accounted for correctly, which could have led to DNS message
    corruption. This has been fixed.

OBS-URL: https://build.opensuse.org/request/show/1112571
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=202

bind-9.18.18.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d735cdc127a6c5709bde475b5bf16fa2133f36fdba202f7c3c37d134e5192160
-size 5490428

bind-9.18.18.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmTQ1kIACgkQGC4jV5Ri
-76qw9xAAh5ijFBTgfhOCyJn7gQpH6zOFTQpYfhkMozbHxydxUsMNo7uko+Lh2k14
-BhsC3ccU8HrePI4hTgY3slAqGAGsxpLz1BIDoLkqsTsfbZchJF/mr9jv3oBtzvdj
-V3B+51M3abyE95Ogt9Qct9TBfhST8BjkSlUAxIiJejC7gyGoDGkgvX3SPelJZjcb
-3MWLtu4yq4AQhPdFdoY39eb0O/i2ZAU/yP2Rh0EgBWZ1Cuicn65n7J47WnYvwxI2
-NjJdM+vjdCByl833WnPVo92K2VEWx143YlDili9GUqybcob1K+nA73WQ+Ub83+Lv
-7oXm+58IcC1gKQXP8xY8+Y42lz4FOOvth8lFP394kut5Fk6KhEPEbtB7sNksna0i
-hOd9ukDZSOqpTdJdGL/QQV5Y0kwsdGYW6PQlsLwcyQ5qDVWBxWlkRoT8D45/ul6+
-4VBnIerG3ya1WfDyu+2uIGw7Xvt7KZaI9j39NUZYFxtfYXT6xELVF+sq/dlD76au
-8eVGbG4qU4GsA6Q+ykvxKHlNWFbm8UbS4BsVGqGnV0GUXXB0vDJwxxpkJMUeS6NA
-87OqFqCfjGRQtfxIKEyheMMZCHYM7hWE2lXBkpuCg9v8QET0iPA13xbl15HQlV2S
-Bpzc788BPGTM+UkMVPrpPw8kAbDhIHbPN2aV7qUUm1sq5jZrQis=
-=o+pr
------END PGP SIGNATURE-----

bind-9.18.19.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:115e09c05439bebade1d272eda08fa88eb3b60129edef690588c87a4d27612cc
+size 5508464

bind-9.18.19.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmUAGbIACgkQUQpkKgbF
+LOzRaw/8D7NZfasW7by/PkDGS4QKRa/BeTupTZB6DaeXme1pv8E0YcZI/dsxdeLD
+YmAa+soyRsXncnqujdwLG9nYV+vLZacfgV9n6e59fSZFK+NhEAzcPq/Q8Q0nFr5D
+m8ygn71Ux6//lufM3CCNDkNXp7hr008++tzNreiZYbwdSJPQWUlzYn//Je3M6z9v
+CldLn1j6aNtt+SdDeuDwNnabFBo9h0Yu2OKKsNimF0Sf0tlbhkJdL7lVTl0frOte
+GyyQPsLIEMEiJ/e7+fdlmYXxYaa61ha37dFTxlRMpYP2lL7rfpoyMY+bTVUcisKC
+8rle150L7xlDZ0z7VT39QJHEqnJxeKduXmVSUsAG3+VFnilcv6bvLhUxLG8ej/Z1
+yaCa0IaqvTydblMZ8kVqM6wNex4InKrx8Ku6YTv5VEKC/BnjukLhAaUeqEWFie+o
+NIiIIbp7Ut4a8J2JytcRMMjuLkvgBkXACGkOvP9nNlTw3fWMzlOVZ6Q6GIolT/k0
+ApH5YdofJoBALMlARDgZJWFpeyXwl1PsDW3KS9uh6wKiMW76YqqCfsLiLtwqvPzj
+AxBJTXOPUC3Hh1ReO7n9eTiWbEGSS1MQYtF0aglpuUzrJsmNb0Scvx6g0zYfCMkv
+yjZUuFXgrXpaoiiCI5hifwwVzwaSwCaUErxk9csyrs+6eS6ud38=
+=v7Aj
+-----END PGP SIGNATURE-----

bind.changes

@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Tue Sep 19 13:28:53 UTC 2023 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 9.18.19
+  Security Fixes:
+  * Previously, sending a specially crafted message over the
+    control channel could cause the packet-parsing code to run out
+    of available stack memory, causing named to terminate
+    unexpectedly. This has been fixed. (CVE-2023-3341)
+    [bsc#1215472]
+  * A flaw in the networking code handling DNS-over-TLS queries
+    could cause named to terminate unexpectedly due to an assertion
+    failure under significant DNS-over-TLS query load. This has
+    been fixed. (CVE-2023-4236)
+    [bsc#1215471]
+
+  Removed Features:
+  * The dnssec-must-be-secure option has been deprecated and will
+    be removed in a future release.
+
+  Feature Changes:
+  * If the server command is specified, nsupdate now honors the
+    nsupdate -v option for SOA queries by sending both the UPDATE
+    request and the initial query over TCP.
+
+  Bug Fixes:
+  * The value of the If-Modified-Since header in the statistics
+    channel was not being correctly validated for its length,
+    potentially allowing an authorized user to trigger a buffer
+    overflow. Ensuring the statistics channel is configured
+    correctly to grant access exclusively to authorized users is
+    essential (see the statistics-channels block definition and
+    usage section).
+  * The Content-Length header in the statistics channel was lacking
+    proper bounds checking. A negative or excessively large value
+    could potentially trigger an integer overflow and result in an
+    assertion failure.
+  * Several memory leaks caused by not clearing the OpenSSL error
+    stack were fixed.
+  * The introduction of krb5-subdomain-self-rhs and
+    ms-subdomain-self-rhs UPDATE policies accidentally caused named
+    to return SERVFAIL responses to deletion requests for
+    non-existent PTR and SRV records. This has been fixed.
+  * The stale-refresh-time feature was mistakenly disabled when the
+    server cache was flushed by rndc flush. This has been fixed.
+  * BIND’s memory consumption has been improved by implementing
+    dedicated jemalloc memory arenas for sending buffers. This
+    optimization ensures that memory usage is more efficient and
+    better manages the return of memory pages to the operating
+    system.
+  * Previously, partial writes in the TLS DNS code were not
+    accounted for correctly, which could have led to DNS message
+    corruption. This has been fixed.
+
 -------------------------------------------------------------------
 Mon Sep 11 07:44:13 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 

bind.spec

@@ -56,7 +56,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.18.18
+Version:        9.18.19
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0