* [dunfell][PATCH] bind: update to 9.11.36
@ 2022-03-10 18:32 Ralph Siemsen
2022-03-11 2:34 ` [OE-core] " Steve Sakoman
0 siblings, 1 reply; 4+ messages in thread
From: Ralph Siemsen @ 2022-03-10 18:32 UTC (permalink / raw)
To: openembedded-core; +Cc: Ralph Siemsen
Security Fixes
The lame-ttl option controls how long named caches certain types of
broken responses from authoritative servers (see the security advisory
for details). This caching mechanism could be abused by an attacker to
significantly degrade resolver performance. The vulnerability has been
mitigated by changing the default value of lame-ttl to 0 and overriding
any explicitly set value with 0, effectively disabling this mechanism
altogether. ISC's testing has determined that doing that has a
negligible impact on resolver performance while also preventing abuse.
Administrators may observe more traffic towards servers issuing certain
types of broken responses than in previous BIND 9 releases, depending on
client query patterns. (CVE-2021-25219)
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
bringing this vulnerability to our attention. [GL #2899]
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
---
.../bind/{bind_9.11.35.bb => bind_9.11.36.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/bind/{bind_9.11.35.bb => bind_9.11.36.bb} (98%)
diff --git a/meta/recipes-connectivity/bind/bind_9.11.35.bb b/meta/recipes-connectivity/bind/bind_9.11.36.bb
similarity index 98%
rename from meta/recipes-connectivity/bind/bind_9.11.35.bb
rename to meta/recipes-connectivity/bind/bind_9.11.36.bb
index 4652529623..872baf6d2f 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.35.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.36.bb
@@ -21,7 +21,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "1c882705827b6aafa45d917ae3b20eccccc8d5df3c4477df44b04382e6c47562"
+SRC_URI[sha256sum] = "c953fcb6703b395aaa53e65ff8b2869b69a5303dd60507cba2201305e1811681"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [dunfell][PATCH] bind: update to 9.11.36
2022-03-10 18:32 [dunfell][PATCH] bind: update to 9.11.36 Ralph Siemsen
@ 2022-03-11 2:34 ` Steve Sakoman
2022-03-11 16:28 ` Ralph Siemsen
0 siblings, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2022-03-11 2:34 UTC (permalink / raw)
To: openembedded-core; +Cc: Ralph Siemsen
On Thu, Mar 10, 2022 at 8:32 AM Ralph Siemsen <ralph.siemsen@linaro.org> wrote:
>
> Security Fixes
>
> The lame-ttl option controls how long named caches certain types of
> broken responses from authoritative servers (see the security advisory
> for details). This caching mechanism could be abused by an attacker to
> significantly degrade resolver performance. The vulnerability has been
> mitigated by changing the default value of lame-ttl to 0 and overriding
> any explicitly set value with 0, effectively disabling this mechanism
> altogether. ISC's testing has determined that doing that has a
> negligible impact on resolver performance while also preventing abuse.
> Administrators may observe more traffic towards servers issuing certain
> types of broken responses than in previous BIND 9 releases, depending on
> client query patterns. (CVE-2021-25219)
>
> ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
> bringing this vulnerability to our attention. [GL #2899]
>
> Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
This passed a-full on the autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3347
So I'll be including this in my final pull request for the 3.1.15 release..
Steve
> ---
> .../bind/{bind_9.11.35.bb => bind_9.11.36.bb} | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> rename meta/recipes-connectivity/bind/{bind_9.11.35.bb => bind_9.11.36.bb} (98%)
>
> diff --git a/meta/recipes-connectivity/bind/bind_9.11.35.bb b/meta/recipes-connectivity/bind/bind_9.11.36.bb
> similarity index 98%
> rename from meta/recipes-connectivity/bind/bind_9.11.35.bb
> rename to meta/recipes-connectivity/bind/bind_9.11.36.bb
> index 4652529623..872baf6d2f 100644
> --- a/meta/recipes-connectivity/bind/bind_9.11.35.bb
> +++ b/meta/recipes-connectivity/bind/bind_9.11.36.bb
> @@ -21,7 +21,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
> file://0001-avoid-start-failure-with-bind-user.patch \
> "
>
> -SRC_URI[sha256sum] = "1c882705827b6aafa45d917ae3b20eccccc8d5df3c4477df44b04382e6c47562"
> +SRC_URI[sha256sum] = "c953fcb6703b395aaa53e65ff8b2869b69a5303dd60507cba2201305e1811681"
>
> UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
> # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#163036): https://lists.openembedded.org/g/openembedded-core/message/163036
> Mute This Topic: https://lists.openembedded.org/mt/89693205/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [dunfell][PATCH] bind: update to 9.11.36
2022-03-11 2:34 ` [OE-core] " Steve Sakoman
@ 2022-03-11 16:28 ` Ralph Siemsen
2022-03-11 17:01 ` Alexander Kanavin
0 siblings, 1 reply; 4+ messages in thread
From: Ralph Siemsen @ 2022-03-11 16:28 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core
On Thu, Mar 10, 2022 at 9:34 PM Steve Sakoman <steve@sakoman.com> wrote:
>
> This passed a-full on the autobuilder:
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3347
>
> So I'll be including this in my final pull request for the 3.1.15 release..
That's great, thank you.
Note that this is likely the last release of bind 9.11.x series.
This branch is EOL according to [1] and [2].
So that will make things interesting if/when the next CVE comes out...
[1] https://www.isc.org/download/
[2] https://kb.isc.org/docs/aa-00896
Regards,
Ralph
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [dunfell][PATCH] bind: update to 9.11.36
2022-03-11 16:28 ` Ralph Siemsen
@ 2022-03-11 17:01 ` Alexander Kanavin
0 siblings, 0 replies; 4+ messages in thread
From: Alexander Kanavin @ 2022-03-11 17:01 UTC (permalink / raw)
To: Ralph Siemsen; +Cc: Steve Sakoman, OE-core
Any interested parties should arrange a dunfell mixin layer for bind
9.16 (or even 9.18) then. 9.11 recipe should also print an EOL
warning.
Alex
On Fri, 11 Mar 2022 at 17:28, Ralph Siemsen <ralph.siemsen@linaro.org> wrote:
>
> On Thu, Mar 10, 2022 at 9:34 PM Steve Sakoman <steve@sakoman.com> wrote:
> >
> > This passed a-full on the autobuilder:
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3347
> >
> > So I'll be including this in my final pull request for the 3.1.15 release..
>
> That's great, thank you.
>
> Note that this is likely the last release of bind 9.11.x series.
> This branch is EOL according to [1] and [2].
>
> So that will make things interesting if/when the next CVE comes out...
>
> [1] https://www.isc.org/download/
> [2] https://kb.isc.org/docs/aa-00896
>
> Regards,
> Ralph
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#163058): https://lists.openembedded.org/g/openembedded-core/message/163058
> Mute This Topic: https://lists.openembedded.org/mt/89693205/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-11 17:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-10 18:32 [dunfell][PATCH] bind: update to 9.11.36 Ralph Siemsen
2022-03-11 2:34 ` [OE-core] " Steve Sakoman
2022-03-11 16:28 ` Ralph Siemsen
2022-03-11 17:01 ` Alexander Kanavin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.