From 8906aa9ec0a80b0f8998fb793f4e9491b3179179 Mon Sep 17 00:00:00 2001 From: Ralph Siemsen Date: Thu, 10 Mar 2022 13:32:34 -0500 Subject: [PATCH] bind: update to 9.11.36 Security Fixes The lame-ttl option controls how long named caches certain types of broken responses from authoritative servers (see the security advisory for details). This caching mechanism could be abused by an attacker to significantly degrade resolver performance. The vulnerability has been mitigated by changing the default value of lame-ttl to 0 and overriding any explicitly set value with 0, effectively disabling this mechanism altogether. ISC's testing has determined that doing that has a negligible impact on resolver performance while also preventing abuse. Administrators may observe more traffic towards servers issuing certain types of broken responses than in previous BIND 9 releases, depending on client query patterns. (CVE-2021-25219) ISC would like to thank Kishore Kumar Kothapalli of Infoblox for bringing this vulnerability to our attention. [GL #2899] Signed-off-by: Ralph Siemsen Signed-off-by: Steve Sakoman --- .../bind/{bind_9.11.35.bb => bind_9.11.36.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/bind/{bind_9.11.35.bb => bind_9.11.36.bb} (98%) diff --git a/meta/recipes-connectivity/bind/bind_9.11.35.bb b/meta/recipes-connectivity/bind/bind_9.11.36.bb similarity index 98% rename from meta/recipes-connectivity/bind/bind_9.11.35.bb rename to meta/recipes-connectivity/bind/bind_9.11.36.bb index 4652529623..872baf6d2f 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.35.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.36.bb @@ -21,7 +21,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "1c882705827b6aafa45d917ae3b20eccccc8d5df3c4477df44b04382e6c47562" +SRC_URI[sha256sum] = "c953fcb6703b395aaa53e65ff8b2869b69a5303dd60507cba2201305e1811681" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 -- 2.40.1