The following security issues are addressed with this change:
CVE-2020-8619
CVE-2020-8622
CVE-2020-8623
CVE-2020-8624
CVE-2020-8625
CVE-2021-25214
CVE-2021-25215
CVE-2021-25216
CVE-2021-25219
A complete description of the changes with this BIND release is
available in the release notes at
https://ftp.isc.org/isc/bind9/9.11.36/RELEASE-NOTES-bind-9.11.36.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Add patch to fix compile issue:
stats.c: In function 'setcounter':
stats.c:300:29: error: 'val' undeclared (first use in this function); did you mean 'value'?
stats->counters[counter] = val;
^~~
value
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Fixes CVEs:
CVE-2018-5738
CVE-2018-5740
CVE-2018-5743
CVE-2018-5744
CVE-2018-5745
CVE-2019-6465
CVE-2019-6471
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[mention fixed CVEs;patches: refreshed and removed those which are in
upstream now]
New upstream release fixes the following security issues:
* CVE-2017-3145: BIND was improperly sequencing cleanup operations on
upstream recursion fetch contexts, leading in some cases to a use-after-free
error that can trigger an assertion failure and crash in named.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
At least one of libjson|libxml2 is required for bind
statistics to function.
Selecting libjson|libxml2 will result in an additional
dependency required to build and install bind-libs.
Signed-off-by: Hal Martin <hal.martin@gmail.com>
When building on hosts with lmdb installed, bind configure phase fails:
configure: error: found lmdb include but not library.
Solve this by disabling lmdb. Fixes#4748.
Fixes: eab56b6bee ("bind: version update to 9.11.2")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
New upstream release includes fixes for the following security issues:
* CVE-2017-3140: With certain RPZ configurations, a response with TTL 0 could
cause named to go into an infinite query loop
* CVE-2017-3142: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
* CVE-2017-3143: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This change includes fixes for several security issues:
* CVE-2017-3138: rndc "" could trigger an assertion failure in named.
* CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to
upstream queries could trigger assertion failures.
* CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion
failure.
* CVE-2017-3135: If a server is configured with a response policy zone
(RPZ) that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read triggering a
server crash.
* CVE-2016-9444: named could mishandle authority sections with missing
RRSIGs, triggering an assertion failure.
* CVE-2016-9131: named mishandled some responses where covering RRSIG
records were returned without the requested data, resulting in an
assertion failure.
* CVE-2016-9131: named incorrectly tried to cache TKEY records which could
trigger an assertion failure when there was a class mismatch.
* CVE-2016-8864: It was possible to trigger assertions when processing
responses containing answers of type DNAME.
* CVE-2016-6170: Added the ability to specify the maximum number of
records permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk with
slave zones from other parties.
* CVE-2016-2776: It was possible to trigger an assertion when rendering a
message using a specially crafted request.
* CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could
trigger an infinite recursion bug in lwresd or named with lwres
configured if, when combined with a search list entry from resolv.conf,
the resulting name is too long.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This change fixes multiple denial-of-service vulnerabilities:
* CVE-2016-9131: A malformed response to an ANY query can cause an
assertion failure during recursion
* CVE-2016-9147: An error handling a query response containing
inconsistent DNSSEC information could cause an assertion failure
* CVE-2016-9444: An unusually-formed DS record response could cause
an assertion failure
* CVE-2016-9778: An error handling certain queries using the
nxdomain-redirect feature could cause a REQUIRE assertion failure
in db.c
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
If libjson-c is detected during bind-libs configure phase, bind-libs
will be built with libjson support. This results in a missing dependency
error during install phase. Solve this by disabling libjson support.
Standard assignment is immediate expansion without any extraneous spacing, RFC822 compliant email addresses without any quotation marks and long git hashes
Signed-off-by: Stephen Walker <stephendwalker+github@gmail.com>
Enables bind to do ECDSA DNSSEC validation. Depends on OpenSSL support
for ECDSA. Increases size of bind-libs package by about 2kB.
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
Noah Meyerhans