pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/net/bind918
Module Name: pkgsrc
Committed By: taca
Date: Wed May 20 13:07:16 UTC 2026
Modified Files:
pkgsrc/net/bind918: Makefile distinfo
Log Message:
net/bind918: update to 9.18.49
BIND 9.18.49 (2026-05-20)
Security Fixes
* Limit resolver server list size. (CVE-2026-3592)
When resolving a domain with many nameservers that shared overlapping IP
addresses (e.g., 10 NS records all pointing at the same set of addresses),
BIND could previously waste time querying duplicate addresses and build up
excessively large server lists. Addresses in the resolver's server list
are now deduplicated so that each unique IP is only queried once per
resolution attempt, regardless of how many NS records point to it. The
number of addresses stored per nameserver name is also now capped at six
(combined A and AAAA), preventing memory and CPU overhead from domains
with unusually large NS/glue sets.
ISC would like to thank Shuhan Zhang from Tsinghua University for
reporting this issue. [GL #5641]
* Fix GSS-API resource leak. (CVE-2026-3039)
A memory leak was fixed where each GSS-API TKEY negotiation leaked a
security context inside the GSS library. An unauthenticated attacker
could exhaust server memory by sending repeated TKEY queries to a server
with tkey-gssapi-keytab configured. The leaked memory was allocated by
the GSS library, bypassing BIND's memory accounting.
Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected,
as BIND never supported it correctly and Kerberos/SPNEGO completes in a
single round.
ISC would like to thank Vitaly Simonovich for bringing this vulnerability
to our attention. [GL #5752]
* Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
Recursion, dynamic updates (UPDATE), and zone change notifications
(NOTIFY) are now disabled for views with a class other than IN (such as
CHAOS or HESIOD); authoritative service for non-IN zones
(e.g. version.bind in class CHAOS) continues to work as before. Servers
configured with recursion yes; in a non-IN view log a warning at startup,
and named-checkconf flags the same condition. UPDATE and NOTIFY messages
that specify the meta-classes ANY or NONE in the question section are now
rejected with FORMERR.
This addresses a set of closely related security issues collectively
identified as CVE-2026-5946. ISC would like to thank Mcsky23 for bringing
these issues to our attention. [GL #5784]
* Avoid unbounded recursion loop. (CVE-2026-5950)
A bug during bad server handling could cause the resolver to enter an
infinite loop, continuously sending queries to an upstream server with no
exit condition, until the resolver query timeout was hit. This has been
fixed.
ISC would like to thank Billy Baraja (BielraX) for bringing this issue to
our attention. [GL #5804]
* Fix outgoing zone transfers' quota issue.
Unauthorized clients could consume the entire outgoing zone-transfer quota
and block authorized zone transfer clients. This has been fixed. [GL
#3589]
Feature Changes
* Fix CPU spikes and slow queries when cache approaches memory limit.
Cache cleanup is now spread probabilistically to avoid CPU usage spikes
and a drop in query throughput. [GL #5891]
Bug Fixes
* Fix named crash when processing SIG records in dynamic updates.
[GL #5818]
* Fix rndc modzone behavior for a zone in named.conf. [GL #5826]
* Fix zone verification of NSEC3 signed zones. [GL #5834]
* Prevent a crash when using both dns64 and filter-aaaa. [GL #5854]
* Fixed an assertion failure when processing catalog zones. [GL #5858]
* Prevent malicious DNSSEC zones from exhausting validator CPU. [GL #5881]
* Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
[GL #5903]
* Prevent crafted queries from degrading RRL performance. [GL #5906]
* Fix a bug in allow-query/allow-transfer catalog zone custom properties.
[GL #5941]
* Fix a memory leak issue in catalog zones. [GL #5943]
* Fix suppressed missing-glue check in named-checkzone.
* Reject record sets too large to serve in DNS. [GL !11963]
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 pkgsrc/net/bind918/Makefile
cvs rdiff -u -r1.39 -r1.40 pkgsrc/net/bind918/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/bind918/Makefile
diff -u pkgsrc/net/bind918/Makefile:1.67 pkgsrc/net/bind918/Makefile:1.68
--- pkgsrc/net/bind918/Makefile:1.67 Wed Apr 1 21:55:55 2026
+++ pkgsrc/net/bind918/Makefile Wed May 20 13:07:16 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.67 2026/04/01 21:55:55 taca Exp $
+# $NetBSD: Makefile,v 1.68 2026/05/20 13:07:16 taca Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
@@ -15,7 +15,7 @@ CONFLICTS+= host-[0-9]*
MAKE_JOBS_SAFE= no
-BIND_VERSION= 9.18.48
+BIND_VERSION= 9.18.49
BUILD_DEFS+= BIND_DIR VARBASE
Index: pkgsrc/net/bind918/distinfo
diff -u pkgsrc/net/bind918/distinfo:1.39 pkgsrc/net/bind918/distinfo:1.40
--- pkgsrc/net/bind918/distinfo:1.39 Wed Apr 1 21:55:55 2026
+++ pkgsrc/net/bind918/distinfo Wed May 20 13:07:16 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.39 2026/04/01 21:55:55 taca Exp $
+$NetBSD: distinfo,v 1.40 2026/05/20 13:07:16 taca Exp $
-BLAKE2s (bind-9.18.48.tar.xz) = e13114efe5651bef075e5296cdad8f7a667e6b15467d77f8b561b11886709717
-SHA512 (bind-9.18.48.tar.xz) = 9c93fe60e8fdfa140cfd535beaf42b368aed885aa97669f990f100c8d75d02cb2b0423f87e8b0f36315fda5bb998e18b7bf8d3d649e9ffe32a4724947a5bebe7
-Size (bind-9.18.48.tar.xz) = 5452356 bytes
+BLAKE2s (bind-9.18.49.tar.xz) = 9427430160992a3d37f561326f2e7ce3894ae8e60ad45c039b68ba5f24e5b4d6
+SHA512 (bind-9.18.49.tar.xz) = e5259db8b9fdb3940d4e1d95978514692777a3675fc85a83db30e049d80d8150d10e672d51eeb885a94c6bbd4573ff8fe49248117c24ff155197a24a26b09544
+Size (bind-9.18.49.tar.xz) = 5476288 bytes
SHA1 (patch-bin_named_main.c) = 4e4a763c478f1fcecb7e65968cf6ca20dacf01f1
SHA1 (patch-bin_named_os.c) = 5ecb0883076575d8ac5fcad68f9daad6c9be0d0b
SHA1 (patch-bin_named_server.c) = 52190897c4c4b141d98ca5bca7cc3eb4c83ac584
Home |
Main Index |
Thread Index |
Old Index