bind9-9.18.3 bind

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

9.18.3 released

• [security] Fix a crash in DNS-over-HTTPS (DoH) code caused by premature TLS stream socket object deletion. (CVE-2022-1183) Moderate impact: 7.5.

• [bug] RPZ NSIP and NSDNAME rule processing didn't handle stub and static-stub zones at or above the query name. This has now been addressed.

• Avoid name space collision in dlz modules by prefixing functions with 'dlz_'.

• [func] Add new named command-line option -C to print built-in defaults.

• [contrib] dlz: Add FALLTHROUGH and UNREACHABLE macros.

• [func] Introduce the concept of broken catalog zones described in the DNS catalog zones draft version 5 document.

• [func] Add DNS Extended Errors when stale answers are returned from cache.

• [bug] Fixed a deadlock that could occur if an rndc connection arrived during the shutdown of network interfaces.

• [bug] Refactor the fctx_done() function to set fctx to NULL after detaching, so that reference counting errors will be easier to avoid.

• [bug] udp_recv() in dispatch could trigger an INSIST when the callback's result indicated success but the response was canceled in the meantime.

• [bug] Work around a jemalloc quirk which could trigger an out-of-memory condition in named over time.

• [bug] If there was a pending negative cache DS entry, validations depending upon it could fail.

• [bug] dig returned a 0 exit status on UDP connection failure.

• [func] Implement support for catalog zones change of ownership (coo) mechanism described in the DNS catalog zones draft version 5 document.

• [func] Implement support for catalog zones options new syntax based on catalog zones custom properties with "ext" suffix described in the DNS catalog zones draft version 5 document.

• [bug] Fix an assertion failure when using dig with +nssearch and +tcp options by starting the next query in the send_done() callback (like in the UDP mode) instead of doing that recursively in start_tcp(). Also ensure that queries interrupted while connecting are detached properly.

• [bug] Don't remove CDS/CDNSKEY DELETE records on zone sign when using 'auto-dnssec maintain;'.

• [func] Implement reference counting for TLS contexts and allow reloading of TLS certificates on reconfiguration without destroying the underlying TCP listener sockets for TLS-based DNS transports.

• [cleanup] Remove use of exclusive mode in ns_interfacemgr in favor of rwlocked access to localhost and localnets members of dns_aclenv_t structure.

• [cleanup] Remove the task exclusive mode use in ns_clientmgr.

• [func] Add support for remote TLS certificates verification, both to BIND and dig, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3.

[Bruce Dubbs]

Fixed at commits:

4d14be0462 Update to libwww-perl-6.66.
f9478ee04a Update to LVM2.2.03.16.
673b197e2b Update to gtk+3-3.24.34.
6edb9af171 Update to bind-9.18.3.

[Douglas R. Reno]

Retroactively mark as Elevated due to CVE-2022-1183

An oss-security post was also put out:

---

On May 18 2022, we (Internet Systems Consortium) have disclosed a vulnerability affecting our BIND software:

CVE-2022-1183: Destroying a TLS session early triggers assertion failure

​https://kb.isc.org/v1/docs/cve-2022-1183

New versions of BIND are available from ​https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of the release directories for our affected stable release branch (9.18):

9.18: ​https://downloads.isc.org/isc/bind9/9.18.3/patches/

With the public announcement of this vulnerability, the embargo period is ended and any updated software packages that have been prepared may be released.

---

The security advisory was already put out, just dropping the info into the ticket for future reference