Opened 9 months ago

Closed 9 months ago

#21613 closed enhancement (fixed)

bind9 bind 9.20.9

Reported by: Bruce Dubbs Owned by: thomas
Priority: normal Milestone: 12.4
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by thomas, 9 months ago

Security Fixes

  • Prevent an assertion failure when processing TSIG algorithm.

DNS messages that included a Transaction Signature (TSIG) containing an invalid value in the algorithm field caused named to crash with an assertion failure. This has been fixed. (CVE-2025-40775) [GL #5300]

Feature Changes

  • Return DNS COOKIE and NSID with BADVERS.

This change allows the client to identify a server that returns a BADVERS response and to provide a DNS SERVER COOKIE to be included in the resent request. [GL #5235]

  • Disable separate memory context for libxml2 memory allocations on macOS.

As of macOS Sequoia 15.4, custom memory allocation functions are no longer supported by the system-wide version of libxml2. This prevents tracking libxml2 memory allocations in a separate named memory context, so the latter has been disabled on macOS; the system allocator is now directly used for libxml2 memory allocations on that operating system. [GL #5268]

  • Use Jinja2 templates in system tests.

python-jinja2 is now required to run system tests. [GL #4938]

Bug Fixes

  • Revert NSEC3 closest encloser lookup improvements.

The performance improvements for NSEC3 closest encloser lookups that were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 records to be returned in nonexistence proofs and were therefore reverted again. [GL #5292]

  • Fix EDNS YAML output in dig.

dig was producing invalid YAML when displaying some EDNS options. This has been corrected.

  • Several other improvements have been made to the display of EDNS option data:
  • The correct name is now used for the UPDATE-LEASE option, which was previously displayed as UL, and it is split into separate LEASE and LEASE-KEY components in YAML mode.
  • Human-readable durations are now displayed as comments in YAML mode so as not to interfere with machine parsing.
  • KEY-TAG options are now displayed as an array of integers in YAML mode.
  • EDNS COOKIE options are displayed as separate CLIENT and SERVER components, and cookie STATUS is a retrievable variable in YAML mode.

[GL #5014]

  • Fix RDATA checks for PRIVATEOID keys.

In PRIVATEOID keys, the key data begins with a length byte followed by an ASN.1 object identifier that indicates the cryptographic algorithm to use. Previously, the length byte was not accounted for when checking the contents of keys and signatures, which could have led to interoperability problems with any zones signed using PRIVATEOID. This has been fixed. [GL #5270]

  • Fix a serve-stale issue with a delegated zone.

Even with stale-answer-client-timeout set to 0, stale responses were not returned immediately for names in domains delegated from authoritative zones configured on the resolver. This has been fixed. [GL #5275]

comment:2 by thomas, 9 months ago

Owner: changed from blfs-book to thomas
Status: newassigned

comment:3 by thomas, 9 months ago

Fixed in [f746b77779]

Leaving open for now to check on the CVE

comment:4 by thomas, 9 months ago

Resolution: fixed
Status: assignedclosed

Hope i did the SA right.

Note: See TracTickets for help on using tickets.