6403. [security] qctx-zversion was not being cleared when it should have
been leading to an assertion failure if it needed to be
reused. (CVE-2024-4076) [GL #4507]
Resolves: RHEL-50874
6400. [security] Excessively large rdatasets can slow down database
query processing, so a limit has been placed on the
number of records that can be stored per rdataset
in a cache or zone database. This is configured
with the new "max-records-per-type" option, and
defaults to 100. (CVE-2024-1737)
[GL #497] [GL #3405]
6401. [security] An excessively large number of rrtypes per owner can
slow down database query processing, so a limit has been
placed on the number of rrtypes that can be stored per
owner (node) in a cache or zone database. This is
configured with the new "max-rrtypes-per-name" option,
and defaults to 100. (CVE-2024-1737)
[GL #3403] [GL #4548]
Does not change db methods like 9.18 fix. It makes limits set at build
time and fixed numbers, but does not need adjusting db interface to set
new limits.
Resolves: RHEL-50591
Fix of CVE-2023-6516 has changed format of map file and masterformat has
started crashing. Adjust test values to pass cleanly.
; Resolves: CVE-2023-6516
Resolves: RHEL-25381
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.
In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.
Resolves: RHEL-25392
; Resolves: CVE-2023-50387
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.
Related: RHEL-25392
; Related: CVE-2023-50387
Patch171 introduces undefined variables, which may fail some tests.
Define them to empty values. Also required python3-dns with SYSTEMTEST
feature enabled.
Related: RHEL-25348
; Related: CVE-2023-4408
More recent python3 module ply does not accept statements used in
isc/policy.py, which generates parsetab.py. Allow to skip that target on
local only fedora builds.
Related: RHEL-25348
; Related: CVE-2023-4408
KeyTrap - Extreme CPU consumption in DNSSEC validator. Preparing an
NSEC3 closest encloser proof can exhaust CPU resources.
6322. [security] Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
Resolves: RHEL-25403 RHEL-25392
; Resolves: CVE-2023-50868 CVE-2023-50387
6319. [security] Query patterns that continuously triggered cache
database maintenance could exhaust all available memory
on the host running named. (CVE-2023-6516) [GL #4383]
Resolves: RHEL-25381
; Resolves: CVE-2023-6516
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
Resolves: RHEL-25370
; Resolves: CVE-2023-5679
RFC 1918 reverse zones
6316. [security] Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
Resolves: RHEL-25359
; Resolves: CVE-2023-5517
6315. [security] Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234]
6321. [security] Change 6315 inadvertently introduced regressions that
could cause named to crash. [GL #4234]
6343. [bug] Fix case insensitive setting for isc_ht hashtable.
Resolves: RHEL-25348
; Resolves: CVE-2023-4408
6190. [security] Improve the overmem cleaning process to prevent the
cache going over the configured limit. (CVE-2023-2828)
[GL #4055]
Resolves: rhbz#2216654
