bind-9.18.7 bind9

[Douglas R. Reno]

New point version

I know of 6 CVEs in this one - 4 high, and 2 medium, and all are remotely exploitable:

• CVE-2022-2795: Processing large delegations may severely degrade resolver performance ​https://kb.isc.org/docs/cve-2022-2795

• CVE-2022-2881: Buffer overread in statistics channel code ​https://kb.isc.org/docs/cve-2022-2881

• CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) ​https://kb.isc.org/docs/cve-2022-2906

• CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly ​https://kb.isc.org/docs/cve-2022-3080

• CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code ​https://kb.isc.org/docs/cve-2022-38177

• CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code ​https://kb.isc.org/docs/cve-2022-38178

[Bruce Dubbs]

9.18.7 released

• [security] Fix memory leak in EdDSA verify processing. (CVE-2022-38178)

• [security] Fix serve-stale crash that could happen when stale-answer-client-timeout was set to 0 and there was a stale CNAME in the cache for an incoming query. (CVE-2022-3080)

• [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0 and later versions. The openssldh_compare(), openssldh_paramcompare(), and openssldh_todns() functions were affected. (CVE-2022-2906)

• [security] When an HTTP connection was reused to get statistics from the stats channel, and zlib compression was in use, each successive response sent larger and larger blocks of memory, potentially reading past the end of the allocated buffer. (CVE-2022-2881)

• [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795)

• [func] Make RRL code treat all QNAMEs that are subject to wildcard processing within a given zone as the same name.

• [port] The libxml2 library has deprecated the usage of xmlInitThreads() and xmlCleanupThreads() functions. Use xmlInitParser() and xmlCleanupParser() instead.

• [func] Fallback to IDNA2003 processing in dig when IDNA2008 conversion fails.

• [bug] Fix a crash on shutdown in delete_trace_entry(). Add mctx attach/detach pair to make sure that the memory context used by a memory pool is not destroyed before the memory pool itself.

• [bug] Use quotes around address strings in YAML output.

• [bug] In some cases, the dnstap query_message field was erroneously set when logging response messages.

• [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing dns_db_detachnode() call.

• [func] Change dnssec-policy to allow graceful transition from an NSEC only zone to NSEC3.

• [bug] Fix statistics channel's handling of multiple HTTP requests in a single connection which have non-empty request bodies.

• [bug] If parsing /etc/bind.key failed, delv could assert when trying to parse the built in trust anchors as the parser hadn't been reset.

• [bug] Fix +http-plain-get and +http-plain-post options support in dig. Thanks to Marco Davids at SIDN for reporting the problem.

• [bug] Fix tkey.c:buildquery() function's error handling by adding the missing cleanup code.

• [func] Zones with dnssec-policy now require dynamic DNS or inline-siging to be configured explicitly.

• [bug] An integer type overflow could cause an assertion failure when freeing memory.

• [bug] Don't enable serve-stale for lookups that error because it is a duplicate query or a query that would be dropped.

• [bug] Fix DiG lookup reference counting bug, which could be observed in NSSEARCH mode.

[Bruce Dubbs]

Fixed at commit b8007e8eb1236976a05443f4a30c74f35630c0c3

Will leave open until the security advisory is posted.

[Douglas R. Reno]

SA-11.2-012 filed. Closing.