[Buildroot] [PATCH] package/bind: security bump to version 9.11.5-P4

Peter Korsgaard peter at korsgaard.com
Sat Feb 23 18:37:30 UTC 2019 

>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - named could crash during recursive processing of DNAME records when
 >   deny-answer-aliases was in use.  This flaw is disclosed in CVE-2018-5740.
 >   [GL #387]

 > - When recursion is enabled but the allow-recursion and allow-query-cache
 >   ACLs are not specified, they should be limited to local networks, but they
 >   were inadvertently set to match the default allow-query, thus allowing
 >   remote queries.  This flaw is disclosed in CVE-2018-5738.  [GL #309]

 > - Code change #4964, intended to prevent double signatures when deleting an
 >   inactive zone DNSKEY in some situations, introduced a new problem during
 >   zone processing in which some delegation glue RRsets are incorrectly
 >   identified as needing RRSIGs, which are then created for them using the
 >   current active ZSK for the zone.  In some, but not all cases, the
 >   newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but
 >   incompletely -- this can result in a broken chain, affecting validation of
 >   proof of nonexistence for records in the zone.  [GL #771]

 > - named could crash if it managed a DNSSEC security root with managed-keys
 >   and the authoritative zone rolled the key to an algorithm not supported by
 >   BIND 9.  This flaw is disclosed in CVE-2018-5745.  [GL #780]

 > - named leaked memory when processing a request with multiple Key Tag EDNS
 >   options present.  ISC would like to thank Toshifumi Sakaguchi for bringing
 >   this to our attention.  This flaw is disclosed in CVE-2018-5744.  [GL
 >   #772]

 > - Zone transfer controls for writable DLZ zones were not effective as the
 >   allowzonexfr method was not being called for such zones.  This flaw is
 >   disclosed in CVE-2019-6465.  [GL #790]

 > For more details, see the release notes:

 > http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html

 > Change the upstream URL to HTTPS as the webserver uses HSTS:

 >>>> bind 9.11.5-P4 Downloading
 > URL transformed to HTTPS due to an HSTS policy

 > Update the hash of the license file to account for a change of copyright
 > year:

 > -Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 > +Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list