5960. [security] Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query.
(CVE-2022-3080) [GL #3517]
Resolves: CVE-2022-3080
- Check that an NS in an authority section returned from a forwarder
which is above the name in a configured "forward first" or "forward
only" zone (i.e., net/NS in a response from a forwarder configured for
local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
not cached (this was already working correctly, but was not explicitly
tested before).
Related: CVE-2021-25220
5817. [security] The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside
the configured bailiwick. (CVE-2021-25220) [GL #2950]
Resolves: CVE-2021-25220
5818. [security] A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the
CLOSE_WAIT state blocking indefinitely when
out-of-order processing was disabled. (CVE-2022-0396)
[GL #3112]
Resolves: CVE-2022-0396
BIND reads default system port ranges from /proc file. Propagate just
that single file to bind chroot. Defaults should be therefore the same
as on named.service.
Resolves: rhbz#2013595
Previously, named would run with a configuration where *-source-v6 (notify-source-v6,
transfer-source-v6 and query-source-v6) address and port could be simultaneously used
for listening. This is no longer true for BIND 9.16+ and the code that would do
interface adjustments would unexpectedly disable listening on TCP for such interfaces.
Resolves: rhbz#1999691
Resolves CVE-2021-25215 and CVE-2021-25214.
Removes disable-isc-spnego flag, because custom isc spnego code were
removed with also this flag. It is default (and the only) option now.
(cherry picked from commit f8cb93d57c5be83e9cfbb515d2e8fc1abef24e29)
Resolves: rhbz#1956777
It prevents compilation of bind-dyndb-ldap. Because config.h is never
used by bind-dyndb-ldap, stop exporting it in devel package. It should
be only implementation detail.
(cherry picked from commit 2e4a03677c85aae0659ec29432362548ce722747)
Resolves: rhbz#1956777
Reworked custom redhat version. Complete version is now part of library
names. Libraries are not recommended for any third party application.
They are still required for bind-dyndb-ldap only.
Version of named changed, only suffix -RH is appended to upstream
version. Therefore dig would not contain version
9.6.11-RedHat-9.6.11-1.fc34, but only 9.6.13-RH. Version of fedora build
have to be obtained from rpm -q bind.
Version is now part of library names, bind-libs-lite was merged to
bind-libs. bind-dyndb-ldap needs whole bind, no point to offer smaller
library set just for its dependencies.
Updated also named(8) manual page to match current state of SELinux.
(cherry picked from commit 76074cd59a69a940a8d4d165d5ed1c77d397cd10)
Resolves: rhbz#1956777
OpenQA tests are already started for critpath components. Freeipa
results are checked by Fedora critpath checks, it does not need to be in
gating.yaml.
Check fedora-infra/ansible repo,
roles/openshift-apps/greenwave/templates/fedora.yaml for details.
(cherry picked from commit f182202f6ea6305ddfcac02797269203115571dd)
Related: rhbz#1956777