bind bind9 9.18.1

[Douglas R. Reno]

New point version, containing four CVEs

[Bruce Dubbs]

9.18.1 released

• [security] An assertion could occur in resume_dslookup() if the fetch had been shut down earlier. (CVE-2022-0667)

• [security] Lookups involving a DNAME could trigger an INSIST when "synth-from-dnssec" was enabled. (CVE-2022-0635)

• [security] A synchronous call to closehandle_cb() caused isc__nm_process_sock_buffer() to be called recursively, which in turn left TCP connections hanging in the CLOSE_WAIT state blocking indefinitely when out-of-order processing was disabled. (CVE-2022-0396)

• [security] The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)

• [bug] Make BIND compile with LibreSSL 3.5.0, as it was using not very accurate pre-processor checks for using shims.

• [bug] If an oversized key name of a specific length was used in the text form of an HTTP or SVBC record, an INSIST could be triggered when parsing it.

• [bug] The RecursClients statistics counter could underflow in certain resolution scenarios.

• [func] Drop the artificial limit on the number of queries processed in a single TCP read callback.

• [bug] Reimplement the maximum and idle timeouts for outgoing zone transfers.

• [bug] Reset client TCP connection when data received cannot be parsed as a valid DNS request.

• [bug] Certain TCP failures were not caught and handled correctly by the dispatch manager, causing connections to time out rather than returning SERVFAIL.

• [bug] Add a TCP "write" timer, and time out writing connections after the "tcp-idle-timeout" period has elapsed.

• [bug] An error in checking the "blackhole" ACL could cause DNS requests sent by named to fail if the destination address or prefix was specifically excluded from the ACL.

• [func] The result of each resolver priming attempt is now included in the "resolver priming query complete" log message.

• [func] Add a debug log message when starting and ending the task exclusive mode.

• [func] Use compile-time paths in the documentation.

• [test] Add system test to test engine_pkcs11.

• [bug] Log "quota reached" message when hard quota is reached when accepting a connection.

• [func] Add ECS support to the DLZ interface.

• [bug] Use L1 cache-line size detected at runtime.

• [test] Add system test to test dnssec-keyfromlabel.

• [bug] A failed view configuration during a named reconfiguration procedure could cause inconsistencies in BIND internal structures, causing a crash or other unexpected errors.

[Bruce Dubbs]

Fixed at commite5ae070f5093d4152243378cd8de7dafe7fbf022 but leaving open for security issues.

[Douglas R. Reno]

SA-11.1-015 put on website and put into advisories application