Context Navigation

← Previous Ticket
Next Ticket →

#15426 closed enhancement (fixed)

bind9 bind 9.16.20 (Security Update)

Reported by:	Douglas R. Reno	Owned by:	Douglas R. Reno
Priority:	elevated	Milestone:	11.0
Component:	BOOK	Version:	git
Severity:	normal	Keywords:
Cc:

Description

I've been granted a freeze break for this, so back to 11.0 we go!

New point version.

Security fix for CVE-2021-25218, an easy-to-exploit remotely exploitable denial of service vulnerability.

I will attempt to have this done by the time I head off to bed tonight.

Change History (3)

comment:1 by Douglas R. Reno, 3 years ago

Owner:	changed from blfs-book to Douglas R. Reno
Status:	new → assigned

   CVE-2021-25218: A too-strict assertion check could be triggered when
   responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if
   RRL is in use

   https://kb.isc.org/docs/cve-2021-25218

comment:2 by Douglas R. Reno, 3 years ago

The rest of the changes:

Notes for BIND 9.16.20
Security Fixes

    Fixed an assertion failure that occurred in named when it attempted to send a UDP packet that exceeded the MTU size, if Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) [GL #2856]

    named failed to check the opcode of responses when performing zone refreshes, stub zone updates, and UPDATE forwarding. This could lead to an assertion failure under certain conditions and has been addressed by rejecting responses whose opcode does not match the expected value. [GL #2762]

Feature Changes

    Testing revealed that setting the thread affinity for various types of named threads led to inconsistent recursive performance, as sometimes multiple sets of threads competed over a single resource.

    Due to the above, named no longer sets thread affinity. This causes a slight dip of around 5% in authoritative performance, but recursive performance is now consistently improved. [GL #2822]

    CDS and CDNSKEY records can now be published in a zone without the requirement that they exactly match an existing DNSKEY record, as long as the zone is signed with an algorithm represented in the CDS or CDNSKEY record. This allows a clean rollover from one DNS provider to another when using a multiple-signer DNSSEC configuration. [GL #2710]

Bug Fixes

    Authentication of rndc messages could fail if a controls statement was configured with multiple key algorithms for the same listener. This has been fixed. [GL #2756]

comment:3 by Douglas R. Reno, 3 years ago

Resolution:	→ fixed
Status:	assigned → closed

Fixed at 444198c428b6622cd9c4069102a486da6a61506a

Note: See TracTickets for help on using tickets.

Download in other formats: