bind9 bind 9.18.11

[Douglas R. Reno]

New point version

Contains three security fixes, all rated as High severity and entirely remotely exploitable, see ​https://www.openwall.com/lists/oss-security/2023/01/25/2

[Bruce Dubbs]

9.18.11 released

• [security] Fix serve-stale crash when recursive clients soft quota is reached. (CVE-2022-3924)

• [security] Handle RRSIG lookups when serve-stale is active. (CVE-2022-3736)

• [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094)

• [func] The DSCP implementation, which has been nonfunctional for some time, is now marked as obsolete and the implementation has been removed. Configuring DSCP values in named.conf has no effect, and a warning will be logged that the feature should no longer be used.

• [bug] Fix unexpected "Prohibited" extended DNS error on allow-recursion.

• [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() by detaching from the zone manager outside of the write lock.

• [bug] In some serve stale scenarios, like when following an expired CNAME record, named could return SERVFAIL if the previous request wasn't successful. Consider non-stale data when in serve-stale mode.

• [bug] Prevent named from crashing when "rndc delzone" attempts to delete a zone added by a catalog zone.

• [bug] Fix an ADB quota management bug in resolver.

• [bug] Improve thread safety in the dns_dispatch unit.

• [bug] Changes to the RPZ response-policy min-update-interval and add-soa options now take effect as expected when named is reconfigured.

• [bug] Exclude ABD hashtables from the ADB memory overmem checks and don't clean ADB names and ADB entries used in the last 10 seconds (ADB_CACHE_MINIMUM).
• [bug] Fix a log message error in dns_catz_update_from_db(), where serials with values of 2^{31 or larger were logged incorrectly as negative numbers.}

• [bug] Try the next server instead of trying the same server again on an outgoing query timeout.

• [bug] TLS session resumption might lead to handshake failures when client certificates are used for authentication (Mutual TLS). This has been fixed.

• [cleanup] The list of supported DNSSEC algorithms changed log level from "warning" to "notice" to match named's other startup messages.

• [bug] There was an "RSASHA236" typo in a log message.

• [func] Implement incremental resizing of isc_ht hash tables to perform the rehashing gradually. The catalog zone implementation has been optimized to work with hundreds of thousands of member zones.

[Bruce Dubbs]

Fixed at commit 57b67574b2db26b597de9059756dd51be1d02ce7