./net/bind918, Berkeley Internet Name Daemon implementation of DNS, version 9.18

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2022Q4, Version: 9.18.11, Package name: bind-9.18.11, Maintainer: sekiya

BIND, the Berkeley Internet Name Daemon. This package contains the BIND
9.18 release.

Release notes are at https://bind9.readthedocs.io/en/v9_18_0/notes.html

MESSAGE.rcd [+/-]


Package options: readline, threads

Master sites:

Filesize: 5160.336 KB

Version history: (Expand)

CVS history: (Expand)


   2023-02-12 20:52:24 by S.P.Zeidler | Files touched by this commit (7) | Package updated
Log message:
Pullup ticket #6736 - requested by taca
net/bind918: security update

Revisions pulled up:
- net/bind918/Makefile                                          1.6
- net/bind918/PLIST                                             1.2
- net/bind918/distinfo                                          1.4
- net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh deleted
- net/bind918/patches/patch-lib_isc_siphash.c                   1.2
- net/bind918/patches/patch-lib_isc_time.c                      1.2
- net/bind918/patches/patch-lib_ns_update.c                     1.2

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Wed Feb  8 00:13:44 UTC 2023

   Modified Files:
   	pkgsrc/net/bind918: Makefile PLIST distinfo
   	pkgsrc/net/bind918/patches: patch-lib_isc_siphash.c
   	    patch-lib_isc_time.c patch-lib_ns_update.c
   Removed Files:
   	pkgsrc/net/bind918/patches:
   	    patch-bin_tests_system_keyfromlabel_tests.sh

   Log message:
   net/bind918: update to 9.18.11

   Approved by MAINTAINER (sekiya@).

   	--- 9.18.11 released ---

   6067.	[security]	Fix serve-stale crash when recursive clients soft quota
   			is reached. (CVE-2022-3924) [GL #3619]

   6066.	[security]	Handle RRSIG lookups when serve-stale is active.
   			(CVE-2022-3736) [GL #3622]

   6064.	[security]	An UPDATE message flood could cause named to exhaust all
   			available memory. This flaw was addressed by adding a
   			new "update-quota" statement that controls the number of
   			simultaneous UPDATE messages that can be processed or
   			forwarded. The default is 100. A stats counter has been
   			added to record events when the update quota is
   			exceeded, and the XML and JSON statistics version
   			numbers have been updated. (CVE-2022-3094) [GL #3523]

   6062.	[func]		The DSCP implementation, which has been
   			nonfunctional for some time, is now marked as
   			obsolete and the implementation has been removed.
   			Configuring DSCP values in named.conf has no
   			effect, and a warning will be logged that
   			the feature should no longer be used. [GL #3773]

   6061.	[bug]		Fix unexpected "Prohibited" extended DNS error
   			on allow-recursion. [GL #3743]

   6060.	[bug]		Fix a use-after-free bug in dns_zonemgr_releasezone()
   			by detaching from the zone manager outside of the write
   			lock. [GL #3768]

   6059.	[bug]		In some serve stale scenarios, like when following an
   			expired CNAME record, named could return SERVFAIL if the
   			previous request wasn't successful. Consider non-stale
   			data when in serve-stale mode. [GL #3678]

   6058.	[bug]		Prevent named from crashing when "rndc delzone"
   			attempts to delete a zone added by a catalog zone.
   			[GL #3745]

   6053.	[bug]		Fix an ADB quota management bug in resolver. [GL #3752]

   6051.	[bug]		Improve thread safety in the dns_dispatch unit.
   			[GL #3178] [GL #3636]

   6050.	[bug]		Changes to the RPZ response-policy min-update-interval
   			and add-soa options now take effect as expected when
   			named is reconfigured. [GL #3740]

   6049.	[bug]		Exclude ABD hashtables from the ADB memory
   			overmem checks and don't clean ADB names
   			and ADB entries used in the last 10 seconds
   			(ADB_CACHE_MINIMUM). [GL #3739]

   6048.	[bug]		Fix a log message error in dns_catz_update_from_db(),
   			where serials with values of 2^31 or larger were logged
   			incorrectly as negative numbers. [GL #3742]

   6047.	[bug]		Try the next server instead of trying the same
   			server again on an outgoing query timeout.
   			[GL #3637]

   6046.	[bug]		TLS session resumption might lead to handshake
   			failures when client certificates are used for
   			authentication (Mutual TLS).  This has been fixed.
   			[GL #3725]

   6045.	[cleanup]	The list of supported DNSSEC algorithms changed log
   			level from "warning" to "notice" to match named's other
   			startup messages. [GL !7217]

   6044.	[bug]		There was an "RSASHA236" typo in a log message.
   			[GL !7206]

   5830.	[func]		Implement incremental resizing of isc_ht hash tables to
   			perform the rehashing gradually. The catalog zone
   			implementation has been optimized to work with hundreds
   			of thousands of member zones. [GL #3212] [GL #3744]

   To generate a diff of this commit:
   cvs rdiff -u -r1.5 -r1.6 pkgsrc/net/bind918/Makefile
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/PLIST
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/bind918/distinfo
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c \
       pkgsrc/net/bind918/patches/patch-lib_isc_time.c \
       pkgsrc/net/bind918/patches/patch-lib_ns_update.c