Update to 9.18.27

New Features

- A new option signatures-jitter has been added to dnssec-policy to allow
  signature expirations to be spread out over a period of time. [GL #4554]

Feature Changes

- DNSSEC signatures that are not valid because the current time falls
  outside the signature inception and expiration dates are skipped
  instead of causing an immediate validation failure. [GL #4586]

https://downloads.isc.org/isc/bind9/9.18.27/doc/arm/html/notes.html#notes-for-bind-9-18-27

Fixes security issues reported in:

https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#security-fixes

- Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU
  load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387)

ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner
from the German National Research Center for Applied Cybersecurity ATHENE for bringing
this vulnerability to our attention. [GL #4424]

Preparing an NSEC3 closest encloser proof could cause excessive CPU load, leading to
a denial-of-service condition. This has been fixed. (CVE-2023-50868) [GL #4459]

Parsing DNS messages with many different names could cause excessive CPU load.
This has been fixed. (CVE-2023-4408)

ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr
from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt
from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4234]

Specific queries could cause named to crash with an assertion failure when
nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [GL #4281]

A bad interaction between DNS64 and serve-stale could cause named to crash with
an assertion failure, when both of these features were enabled. This has been fixed.
(CVE-2023-5679) [GL #4334]

Under certain circumstances, the DNS-over-TLS client code incorrectly attempted to
process more than one DNS message at a time, which could cause named to crash with
an assertion failure. This has been fixed. [GL #4487]

Increased release to be higher than c9s bind9.18 component.

; Resolves: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679
Resolves: RHEL-48798

.gitignore

@@ -220,3 +220,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.18.20.tar.xz.asc
 /bind-9.18.21.tar.xz
 /bind-9.18.21.tar.xz.asc
+/bind-9.18.27.tar.xz
+/bind-9.18.27.tar.xz.asc

bind.spec

@@ -80,8 +80,8 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # ./lib/isc/string.c BSD-3-clause and/or MPL-2.0
 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
-Version:  9.18.21
-Release:  7%{?dist}
+Version:  9.18.27
+Release:  6%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -977,6 +977,9 @@ fi;
 %endif
 
 %changelog
+* Tue Oct 29 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.27-6
+- Update to 9.18.27 (RHEL-48798)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 32:9.18.21-7
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018

sources

@@ -1,2 +1,2 @@
-SHA512 (bind-9.18.21.tar.xz) = 3cbc1775b6ca3d5eda0c277ab1246b5baa535dac53df3e60690aa7a2529bcb0fb644f7749b21b757870e5b3bc5f53ae9f0c0db182664de1b23f7e62c3fa8757d
-SHA512 (bind-9.18.21.tar.xz.asc) = 1afa22dddb5d6c42e2dea2369cc048d548ad86e3d215c692320716488419c012ac849f1699d61451353574ec4621fc93f7111658e9de7fa286336d97e33d5de6
+SHA512 (bind-9.18.27.tar.xz) = d0c89821fef38e531d65b465adeb5946589775e6a4d5e2068e969f1106c961d3b202af19247b9e20f9fbde645be10d610478edf89ed0d83b39d38fb4353c693a
+SHA512 (bind-9.18.27.tar.xz.asc) = 0da73d14dd8db8e55fcfe47e597fe242f7889b64e3cb383e24f90bed95b13cf38771cf7513bf621e308e5a6d10d83ae333ddd09f266fa7b1bd031192ec698404