From 7a18d2cf8638ac71c5676e889294eb18e0f61e4a8a875a67eb69a77c39e6a7f8 Mon Sep 17 00:00:00 2001 From: Jorik Cronenberg Date: Wed, 21 Sep 2022 13:17:51 +0000 Subject: [PATCH] Accepting request 1005206 from home:jcronenberg:branches:network - Update to bind release 9.18.7 Security Fixes: * Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of named running as a recursive resolver. This has been fixed. (CVE-2022-2795) * When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) * Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) * named running as a resolver with the stale-answer-client-timeout option set to 0 could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) * Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) Feature Changes: * Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. * Zones using dnssec-policy now require dynamic DNS or inline-signing to be configured explicitly. * When reconfiguring dnssec-policy from using NSEC with an NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC until the offending DNSKEY records have been removed from the zone, then switches to using NSEC3. * A backward-compatible approach was implemented for encoding internationalized domain names (IDN) in dig and converting the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. Bug Fixes: * A serve-stale bug was fixed, where BIND would try to return stale data from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. This obsoletes the following patch: * bind-fix-mysql-bindings.patch [bsc#1203614, bsc#1203615, bsc#1203616, bsc#1203618, bsc#1203620] OBS-URL: https://build.opensuse.org/request/show/1005206 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=357 --- bind-9.18.6.tar.xz | 3 --- bind-9.18.6.tar.xz.sha512.asc | 16 ------------ bind-9.18.7.tar.xz | 3 +++ bind-9.18.7.tar.xz.sha512.asc | 16 ++++++++++++ bind-fix-mysql-bindings.patch | 22 ---------------- bind.changes | 49 +++++++++++++++++++++++++++++++++++ bind.spec | 3 +-- 7 files changed, 69 insertions(+), 43 deletions(-) delete mode 100644 bind-9.18.6.tar.xz delete mode 100644 bind-9.18.6.tar.xz.sha512.asc create mode 100644 bind-9.18.7.tar.xz create mode 100644 bind-9.18.7.tar.xz.sha512.asc delete mode 100644 bind-fix-mysql-bindings.patch diff --git a/bind-9.18.6.tar.xz b/bind-9.18.6.tar.xz deleted file mode 100644 index a126f62..0000000 --- a/bind-9.18.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d43a0fed03c774d1685d203598218c0b7774a88fcc390a0170710d5feb7fbff1 -size 5171132 diff --git a/bind-9.18.6.tar.xz.sha512.asc b/bind-9.18.6.tar.xz.sha512.asc deleted file mode 100644 index ce1d664..0000000 --- a/bind-9.18.6.tar.xz.sha512.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4l6wzxzoBJ1H8dmmM+EOShg6jkYFAmL0AkwACgkQM+EOShg6 -jkaylw/9Evr/sUupCkvNFVt+FtqlnfBDt8WCSlwPaSr5TVU+JCX+0SnNkIrST5Ho -wOACBRks6ATzvtL4pAnr+DRJFen+G0WL57YJsR6geKKm78W7WzV49zG3FSad6RTq -FyXoRNClteBttitPd0ubCHhHAqPcrmbVAlS+79l/8Q//r+llV99gY4h8ZVQC2f2I -rnrJzprT3ZwwCqTyV03zigBcRINS9+/Ij/MlRoG5VGldSaDJB0dLMlJMzeIWeiLG -aeHRTDB5q64HXS6zpzcYZcs6cG80lMFpYqMFP8+FZml1mz8PEhvhTb5cM94Ar1b1 -Iy/QMLzORneSCHq62o4Tc2jgFTv6y7LqRHnCujt+I0UpOt26tV5O/kr/CbMrgx9R -mU/PScStLU5m38vwGrIfLegx9fauHPvQckM5Mbvv5E/ntFaza7r7aedjj5cMY92N -uEHUKknYFP+nIRPEpaN/oIkkbVcRq99LviI2tlVUrkHR/siNy2Y/eHXm1nLs9s3y -4mdns0dx0/d+sewaL4jpS9+EynDoy3IiAXpo2CMR8no/AIm2nqwrCtcR/slmsdUr -P5lwlJZoyz4tsjFHTRyeEk4ciMEwDoIFQ+hwQovAL7Vq/2lIgXcvvQn0IX96n2SS -cmFovsMMN7Y6LE/Tfx8CuHyP2bGs+V3wyepk3p2lJWrIWjJ7a/s= -=2oT4 ------END PGP SIGNATURE----- diff --git a/bind-9.18.7.tar.xz b/bind-9.18.7.tar.xz new file mode 100644 index 0000000..6865a3d --- /dev/null +++ b/bind-9.18.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e2acf1698f49d70ad12ffbad39ec6716a7da524e9ebd98429c7c70ba1262981 +size 5626820 diff --git a/bind-9.18.7.tar.xz.sha512.asc b/bind-9.18.7.tar.xz.sha512.asc new file mode 100644 index 0000000..adceb3f --- /dev/null +++ b/bind-9.18.7.tar.xz.sha512.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4l6wzxzoBJ1H8dmmM+EOShg6jkYFAmMfNs4ACgkQM+EOShg6 +jkY1aRAAySGOpDT4MFnuTI5w7RdWjMNclOGJoFK6ihbkF6lQDrRqRuYlmAq9UwW2 +KR+rAAAqAHk/EmDzsmq15OcsJdJOMrJTp88YEI4EdAcInOK4xbjDl73P0oOnlRjJ +/8Aw2awrDPjMPoEoF9YBLPfU1Q2Vlunybzlq9sZ7eUWpp1qSa6x3EoWS/bB/f66G +FhWpbEqdkBOCW8osm3svSOTCkYhlimX6Y2bTyhjSUdfS8q5rwYoiDEsbzjgoMS5l +eNQb0bexCEBmaTjzARGXo2JzGcNMu9aeee3noeusTV/x3r5zgOjl/TDkx7Y4CAaN +qtWeoYVp4p4ulisaFqP1bHuksUVgez+2SzrqJ0NpvhLZzbi5dRnsHT93iDcoR+X/ +yjyVQFiunZq3kU46Cf8gT29fxfyi3C/3BVxMkdZz2kI4LwRWvAng7mk9tfKH/2/d +d44hvv0R4Mdv38/zd8m2pddh8A7rY7l7CbPrKe0V6UTsnErFi/B14fLu58vQHlZL +8SBBLT2YSiJFQRMfcbCwVTW9r54pqb+MJxkBCgGMDAULOqdBSXfydQdEkbkC1R9i +u522mH5/VafntJabrxWa4blz/2pClTWswCYCT9LIb8wTFgU+n99+1ozIW7arLFMe +/ncipDqQffaC+DY88PlF5AOhG4I7hqbJR6yVrPaIL7On+2vIn+A= +=/BQv +-----END PGP SIGNATURE----- diff --git a/bind-fix-mysql-bindings.patch b/bind-fix-mysql-bindings.patch deleted file mode 100644 index fa2e5b6..0000000 --- a/bind-fix-mysql-bindings.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- a/contrib/dlz/modules/mysql/Makefile -+++ b/contrib/dlz/modules/mysql/Makefile -@@ -27,7 +27,7 @@ prefix = /usr - libdir = $(prefix)/lib/bind9 - - CFLAGS=-fPIC -g -I../include $(shell mysql_config --cflags) --LDAP_LIBS=$(shell mysql_config --libs) -+MYSQL_LIBS=$(shell mysql_config --libs) - - all: dlz_mysql_dynamic.so - ---- a/contrib/dlz/modules/mysqldyn/Makefile -+++ b/contrib/dlz/modules/mysqldyn/Makefile -@@ -27,7 +27,7 @@ prefix = /usr - libdir = $(prefix)/lib/bind9 - - CFLAGS=-fPIC -g -I../include $(shell mysql_config --cflags) --LDAP_LIBS=$(shell mysql_config --libs) -+MYSQL_LIBS=$(shell mysql_config --libs) - - all: dlz_mysqldyn_mod.so - diff --git a/bind.changes b/bind.changes index 91f4ac2..916cc0b 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,52 @@ +------------------------------------------------------------------- +Wed Sep 21 11:49:07 UTC 2022 - Jorik Cronenberg + +- Update to bind release 9.18.7 + Security Fixes: + * Previously, there was no limit to the number of database lookups + performed while processing large delegations, which could be + abused to severely impact the performance of named running as a + recursive resolver. This has been fixed. (CVE-2022-2795) + * When an HTTP connection was reused to request statistics from the + stats channel, the content length of successive responses could + grow in size past the end of the allocated buffer. + This has been fixed. (CVE-2022-2881) + * Memory leaks in code handling Diffie-Hellman (DH) keys were fixed + that could be externally triggered, when using TKEY records in DH + mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) + * named running as a resolver with the stale-answer-client-timeout + option set to 0 could crash with an assertion failure, when there + was a stale CNAME in the cache for the incoming query. + This has been fixed. (CVE-2022-3080) + * Memory leaks were fixed that could be externally triggered in the + DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + + Feature Changes: + * Response Rate Limiting (RRL) code now treats all QNAMEs that are + subject to wildcard processing within a given zone as the same + name, to prevent circumventing the limits enforced by RRL. + * Zones using dnssec-policy now require dynamic DNS or + inline-signing to be configured explicitly. + * When reconfiguring dnssec-policy from using NSEC with an NSEC-only + DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, + BIND 9 no longer fails to sign the zone; instead, it keeps using + NSEC until the offending DNSKEY records have been removed from the + zone, then switches to using NSEC3. + * A backward-compatible approach was implemented for encoding + internationalized domain names (IDN) in dig and converting the + domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 + conversion. + + Bug Fixes: + * A serve-stale bug was fixed, where BIND would try to return stale + data from cache for lookups that received duplicate queries or + queries that would be dropped. This bug resulted in premature + SERVFAIL responses, and has now been resolved. + + This obsoletes the following patch: + * bind-fix-mysql-bindings.patch + [bsc#1203614, bsc#1203615, bsc#1203616, bsc#1203618, bsc#1203620] + ------------------------------------------------------------------- Thu Aug 18 14:57:33 UTC 2022 - Jorik Cronenberg diff --git a/bind.spec b/bind.spec index e2af52a..ce267de 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.18.6 +Version: 9.18.7 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -75,7 +75,6 @@ Source70: bind.conf # configuation file for systemd-sysusers Source72: named.conf Patch56: bind-ldapdump-use-valid-host.patch -Patch57: bind-fix-mysql-bindings.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libtool