This update for bind fixes the following issues:
Update to release 9.18.28
Security fixes:
- CVE-2024-0760: Fixed a flood of DNS messages over TCP may make the server unstable (bsc#1228255)
- CVE-2024-1737: Fixed BINDβs database will be slow if a very large number of RRs exist at the same name (bsc#1228256)
- CVE-2024-1975: Fixed SIG(0) can be used to exhaust CPU resources (bsc#1228257)
- CVE-2024-4076: Fixed assertion failure when serving both stale cache data and authoritative zone content (bsc#1228258)
Changelog:
- Command-line options for IPv4-only (named -4) and IPv6-only
(named -6) modes are now respected for zone primaries,
also-notify, and parental-agents.
- An RPZ responseβs SOA record TTL was set to 1 instead of the
SOA TTL, if add-soa was used. This has been fixed.
- When a query related to zone maintenance (NOTIFY, SOA) timed
out close to a view shutdown (triggered e.g. by rndc reload),
named could crash with an assertion failure. This has been
fixed.
- The statistics channel counters that indicated the number of
currently connected TCP IPv4/IPv6 clients were not properly
adjusted in certain failure scenarios. This has been fixed.
- Some servers that could not be reached due to EHOSTDOWN or
ENETDOWN conditions were incorrectly prioritized during server
selection. These are now properly handled as unreachable.
- On some systems the libuv call may return an error code when
sending a TCP reset for a connection, which triggers an
assertion failure in named. This error condition is now dealt
with in a more graceful manner, by logging the incident and
shutting down the connection.
- Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
- A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
- Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed
- A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed.
- Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed.
- The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
max-cache-ttl and max-ncache-ttl in a timely manner.
- It was possible to trigger a use-after-free assertion when the
overmem cache cleaning was initiated. This has been fixed.
New Features:
- A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
- The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
- Added RESOLVER.ARPA to the built in empty zones.
Feature Changes:
- DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
Security Fixes:
- A malicious DNS client that sent many queries over TCP but
never read the responses could cause a server to respond slowly
or not at all for other clients. This has been fixed.
(CVE-2024-0760)
- It is possible to craft excessively large resource records
sets, which have the effect of slowing down database
processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and
type in a cache or zone database. The default is 100, which can
be tuned with the new max-records-per-type option.
- It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
adding a configurable limit to the number of records that can
be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
max-types-per-name option. (CVE-2024-1737)
- Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975)
- Due to a logic error, lookups that triggered serving stale data
and required lookups in local authoritative zone data could
have resulted in an assertion failure. This has been fixed.
- Potential data races were found in our DoH implementation,
related to HTTP/2 session object management and endpoints set
object management after reconfiguration. These issues have been
fixed.
- When looking up the NS records of parent zones as part of
looking up DS records, it was possible for named to trigger an
assertion failure if serve-stale was enabled. This has been
fixed. (CVE-2024-4076)