During errata testing we use /plans/bind/* plans because we have
multiple bind components (bind9.18, and also bind9.20 will be coming
soon).
CI was using /plans/* plans for the bind component, which is
inconsistent with what we use for errata testing.
LANG=C was not propagating the locale change to the test script
correctly, resulting in `sort` using the default en_US.UTF-8 locale,
which created an entry order different from the expected output.
Resolves: RHEL-6454
It appears that the issues reported in RHEL-142289
and RHEL-86172 were introduced in bind somewhere
between v9.16.23 and v9.16.50. Backport fixes for those,
otherwise we'll get a regression.
Resolves: RHEL-6454
Some file changes were completely missing in the cherry-picks
of CVE-2024-1737 upstream test changes, as well as older backports
causing issues with the new version of bind.
Resolves: RHEL-6454
Attempts to modify behaviour done in 9.16.33. It requires explicit
specification of inline-signing yes for any zone, which has specified
dnssec-policy. For primary zones also when allow-update and
update-policy are disabled. Turn it into warning only on RHEL builds,
do not prevent starting of named.
That should roughly emulate error message present on 9.16.23:
'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on
a non-dynamic DNS zone.
But point a link into upstream KB article in any case. This has appeared
only when inline-signing were specified in a zone block. For that case
make it still fatal, but with new message.
https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#known-issues
Related to upstream commit 30fceec069ae0942749e6aa783f67756e82fcaae.
Resolves: RHEL-6454
No more variants are built for RHEL9 anyway, just single build of bind
is made. Engines are used instead from freeipa by -E parameter. Remove
extra changes for testing alternative builds.
Resolves: RHEL-6454
Remove manual applying using %patchX by using %autopatch with ranges.
Those ranges are used because of PKCS11 feature, which is still
disabled.
Resolves: RHEL-6454
Recursion, dynamic updates (UPDATE), and zone change notifications
(NOTIFY) are now disabled for views with a class other than IN
(such as CHAOS or HESIOD); authoritative service for non-IN zones
(e.g. version.bind in class CHAOS) continues to work as before.
Servers configured with recursion yes in a non-IN view will log a
warning at startup, and named-checkconf flags the same condition.
UPDATE and NOTIFY messages that specify the meta-classes ANY or NONE
in the question section are now rejected with FORMERR.
This addresses a set of closely related security issues collectively
identified as CVE-2026-5946. ISC would like to thank Mcsky23 for
bringing these issues to our attention.
[9.16] fix: dev: Pass empty string instead of NULL to ns_client_dumpmessage()
Pass "" instead of NULL to ns_client_dumpmessage() to get the log message printed.
Resolves-Vulnerability: CVE-2026-5946
Resolves: RHEL-177764
Fixed a memory leak where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a server with tkey-gssapi-keytab configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting.
Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round.
Also implemented missing RFC 3645 requirement: the client now verifies that mutual authentication and integrity flags are granted by the GSS-API mechanism (Section 3.1.1).
Resolves-Vulnerability: CVE-2026-3039
Resolves: RHEL-177771
DNSSEC-signed zones may contain high iteration-count NSEC3 records,
which prove that certain delegations are insecure. Previously, a
validating resolver encountering such a delegation processed these
iterations up to the number given, which could be a maximum of 65,535.
This has been addressed by introducing a processing limit, set at 150.
Now, if such an NSEC3 record is encountered, the delegation will be
treated as insecure.
ISC would like to thank Samy Medjahed/Ap4sh for bringing this
vulnerability to our attention.
Closes isc-projects/bind9#5708
Backport of MR !935
Resolves-Vulnerability: CVE-2026-1519
One of libdir directories was forgotten. It is the directory containing
the actual plugin, might cause issues if filter-aaaa.so plugin is used.
Resolves: RHEL-135629
Drop original user creating in favor of sysusers file definition.
(cherry picked from commit 071ec07d27989a8d548834292fa46ca2312b4862)
(cherry picked from commit efb20ad8e7)
Resolves: RHEL-135629
Imagemode might have separate /var partition not properly initialized by
package installation. Add creation of compat files into tmpfiles.d
definition.
Make copies of those files from /var/named to /usr/shared/named, so we
even have some place to symlink them from. Originally it had only copy
in sample documentation, which may not be installed.
These source file should be read-only from named and not modified
anyway. Move them to /usr/share/named as read-only, always present
sources. Make symlinks in /var/named to point to them only when files
are missing.
To maximize backward compatibility, make copies and avoid replacing
those files with symlinks.
Resolves: RHEL-122168
IDNA tests always redirect output into the file. That means its
behaviour has changed and is now processing IDN input by default and
just disables IDN output by default.
New behaviour when redirected is the same as +idnin +noidnout, but does
not fail hard on input errors.
Resolves: RHEL-66172
Many variants are never built anymore. Clean actions to just those still
shipped. But do not trigger named reload when named.run file is empty.
That is common on freeipa installation, where configuration changes
logging to put it elsewhere. named reload is disruptive because how
bind-dyndb-ldap behaves during reloads. Avoid unnecessary reloads with
visible service disruption.
Keep named-pkcs11 reload variant.
Resolves: RHEL-113942
Use the same name in dig or host utilities when stdout is not a
terminal. Until now it disabled IDN processing when stdout were not a
terminal. Disable just IDN output in that case and try to decode input
name with IDN. Keep failing in interactive sessions, but send even
undecoded name query when output is redirected.
That should limit new surprises and keep most of behaviour without
changes. But do not break in when input name failed to decode and
it were not trying to decode it before.
Resolves: RHEL-66172
NAMED_MAXADDITIONAL environment can change default limit of 13. Format
is just number of accepted NS, which will be processed for additional
records.
Resolves: RHEL-84006
When too many NS records are fetched from authoritative zone, limit
number of fetched additional records. Instead of not producing any
additional record when there is over 13 NS servers, limit number of
records for which those records would be fetched.
Resolves: RHEL-84006
resume_qmin did not handle special case of recursing query hit
unexpected DNS_R_CNAME result. Change result to SERVFAIL in case
of a zone loaded after the recursion started. That prevents crashing
later in query_setorder, where there is uninitialized foundname compared
with absolute order names.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
Resolves: RHEL-30407
Intended to be run like:
centpkg mockbuild --with SYSTEMTEST -N --enable-network
Do fail when it does not pass. But allow running tests as root.
Related: RHEL-76884
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.
Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.
Vulnerability: CVE-2024-11187
Resolves: RHEL-76884
RPM tools keep complaining about old-style patches applying with
%patchX. Avoid that by using autopatch from now on, applying all changes
sorted but patch number.
Related: RHEL-76884
Fix local rebuilds on Fedora. BIND 9.16 does not work well with fortify
source level 3. Fix also DEFAULT_HMAC not properly set in tests, failing
reclimit test. That was issue only of backport.
Resolves: RHEL-49900
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.
Merge branch 'ondrej/max-types-per-rr-backport-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9178
Resolves: RHEL-49900
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.
Merge branch 'ondrej/max-records-per-type-backport-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9177
Remove also custom environment feature, which is not necessary with
proper config options backported.
Increase rightmost version to become higher than _4 suffix.
Resolves: RHEL-49900
Do not introduce new options into configuration file. But if limits are
hit in unexpected way, allow tuning them by environment variables
DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of
maximum records of types. Both defaults to 100.
These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.
Related: RHEL-49900
6403. [security] qctx-zversion was not being cleared when it should have
been leading to an assertion failure if it needed to be
reused. (CVE-2024-4076) [GL #4507]
Resolves: RHEL-49940
6400. [security] Excessively large rdatasets can slow down database
query processing, so a limit has been placed on the
number of records that can be stored per rdataset
in a cache or zone database. This is configured
with the new "max-records-per-type" option, and
defaults to 100. (CVE-2024-1737)
[GL #497] [GL #3405]
6401. [security] An excessively large number of rrtypes per owner can
slow down database query processing, so a limit has been
placed on the number of rrtypes that can be stored per
owner (node) in a cache or zone database. This is
configured with the new "max-rrtypes-per-name" option,
and defaults to 100. (CVE-2024-1737)
[GL #3403] [GL #4548]
Does not change db methods like 9.18 fix. It makes limits set at build
time and fixed numbers, but does not need adjusting db interface to set
new limits.
Resolves: RHEL-49900
Extends even more change Downstream specific changes related to KeyTrap,
which added safety guards into hazard pointers. Because it seems they
are not still enough. Add fixed base to accomodate common threads like
main app thread and ldap worker threads. Multiply one more, just to be
sure. We do not want to hit maximal limit again.
Resolves: RHEL-39131
Builds were made, but did not hit public repositories. Errata for RHEL
were done before these could be published, but we need another errata
just for CentOS Stream.
Resolves: RHEL-25130 RHEL-25132 RHEL-25162 RHEL-25166 RHEL-25169 RHEL-25173
Fix of CVE-2023-6516 has changed format of map file and masterformat has
started crashing. Adjust test values to pass cleanly.
Related: RHEL-25375
; Related: CVE-2023-6516
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.
In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.
Resolves: RHEL-25386
; Resolves: CVE-2023-50387