Merging upstream version 1:9.16.48.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 102 insertions, 9 deletions

diff --git a/doc/arm/conf.py b/doc/arm/conf.py
index ba52bed..f2dd2e6 100644
--- a/doc/arm/conf.py
+++ b/doc/arm/conf.py
@@ -36,6 +36,44 @@ except ImportError:
 
 
 GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/"
+KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/"
+
+
+# Custom Sphinx role enabling automatic hyperlinking to security advisory in
+# ISC Knowledgebase
+class CVERefRole(ReferenceRole):
+    def __init__(self, base_url: str) -> None:
+        self.base_url = base_url
+        super().__init__()
+
+    def run(self) -> Tuple[List[Node], List[system_message]]:
+        cve_identifier = "(CVE-%s)" % self.target
+
+        target_id = "index-%s" % self.env.new_serialno("index")
+        entries = [
+            ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None)
+        ]
+
+        index = addnodes.index(entries=entries)
+        target = nodes.target("", "", ids=[target_id])
+        self.inliner.document.note_explicit_target(target)
+
+        try:
+            refuri = self.base_url + "cve-%s" % self.target
+            reference = nodes.reference(
+                "", "", internal=False, refuri=refuri, classes=["cve"]
+            )
+            if self.has_explicit_title:
+                reference += nodes.strong(self.title, self.title)
+            else:
+                reference += nodes.strong(cve_identifier, cve_identifier)
+        except ValueError:
+            error_text = "invalid ISC Knowledgebase identifier %s" % self.target
+            msg = self.inliner.reporter.error(error_text, line=self.lineno)
+            prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+            return [prb], [msg]
+
+        return [index, target, reference], []
 
 
 # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
@@ -80,6 +118,7 @@ class GitLabRefRole(ReferenceRole):
 
 
 def setup(app):
+    roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL))
     roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL))
     app.add_crossref_type("iscman", "iscman", "pair: %s; manual page")
     # ignore :option: references to simplify doc backports to v9_16 branch
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 90421ec..1fecc77 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -46,6 +46,10 @@ for Microsoft Windows operating systems.
 
 .. include:: ../notes/notes-known-issues.rst
 
+.. include:: ../notes/notes-9.16.48.rst
+.. include:: ../notes/notes-9.16.47.rst
+.. include:: ../notes/notes-9.16.46.rst
+.. include:: ../notes/notes-9.16.45.rst
 .. include:: ../notes/notes-9.16.44.rst
 .. include:: ../notes/notes-9.16.43.rst
 .. include:: ../notes/notes-9.16.42.rst
diff --git a/doc/arm/platforms.rst b/doc/arm/platforms.rst
index 534157c..ef2949a 100644
--- a/doc/arm/platforms.rst
+++ b/doc/arm/platforms.rst
@@ -46,12 +46,11 @@ Current versions of BIND 9 are fully supported and regularly tested on the
 following systems:
 
 -  Debian 10, 11, 12
--  Ubuntu LTS 18.04, 20.04, 22.04
--  Fedora 38
+-  Ubuntu LTS 20.04, 22.04
+-  Fedora 39
 -  Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9
--  FreeBSD 12.4, 13.2
--  OpenBSD 7.3
--  Alpine Linux 3.18
+-  FreeBSD 12.4, 13.2, 14.0
+-  Alpine Linux 3.19
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully
 supported.
@@ -70,6 +69,7 @@ Server 2016, none of these are tested regularly by ISC.
 -  macOS 10.12+
 -  Solaris 11
 -  NetBSD
+-  OpenBSD
 -  Other Linux distributions still supported by their vendors, such as:
 
    -  Ubuntu 20.10+
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 4bb477a..34089ca 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2496,7 +2496,7 @@ for details on how to specify IP address lists.
    :rfc:`1034` to use case-insensitive name comparisons when checking for
    matching domain names.
 
-   If left undefined, the ACL defaults to ``none``: case-insensitive
+   If left undefined, the ACL defaults to ``none``: case-sensitive
    compression is used for all clients. If the ACL is defined and
    matches a client, case is ignored when compressing domain
    names in DNS responses sent to that client.
diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt
index 4dd6796..b811174 100644
--- a/doc/arm/requirements.txt
+++ b/doc/arm/requirements.txt
@@ -1,5 +1,5 @@
 # Make Read the Docs use the exact same package versions as in
 # registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64
-Sphinx==6.2.1
-docutils==0.18.1
-sphinx_rtd_theme==1.2.2
+Sphinx==7.2.6
+docutils==0.20.1
+sphinx_rtd_theme==2.0.0
diff --git a/doc/arm/security.rst b/doc/arm/security.rst
index c17643b..817ebd0 100644
--- a/doc/arm/security.rst
+++ b/doc/arm/security.rst
@@ -14,6 +14,56 @@
 BIND 9 Security Considerations
 ==============================
 
+Security Assumptions
+--------------------
+BIND 9's design assumes that access to the objects listed below is limited only to
+trusted parties. An incorrect deployment, which does not follow rules set by this
+section, cannot be the basis for CVE assignment or special security-sensitive
+handling of issues.
+
+Unauthorized access can potentially disclose sensitive data, slow down server
+operation, etc. Unauthorized, unexpected, or incorrect writes to listed objects
+can potentically cause crashes, incorrect data handling, or corruption.
+
+- All files stored on disk - including zone files, configuration files, key
+  files, temporary files, etc.
+- Clients communicating via :any:`control socket <controls_grammar>` using configured keys
+- Access to :any:`statistics channels <statistics_channels>` from untrusted clients
+- Sockets used for :any:`dynamic_update_policies` type `external`
+
+Certain aspects of the DNS protocol are left unspecified, such as the handling of
+responses from DNS servers which do not fully conform to the DNS protocol. For
+such a situation, BIND implements its own safety checks and limits which are
+subject to change as the protocol and deployment evolve.
+
+Authoritative Servers
+~~~~~~~~~~~~~~~~~~~~~
+By default, zones use intentionally lenient limits (unlimited size, long
+transfer timeouts, etc.). These defaults can be misused by the source of data
+(zone transfers or UPDATEs) to exhaust resources on the receiving side.
+
+The impact of malicious zone changes can be limited, to an extent, using
+configuration options listed in sections :ref:`server_resource_limits` and
+:ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`.
+
+DNS Resolvers
+~~~~~~~~~~~~~
+By definition, DNS resolvers act as traffic amplifiers;
+during normal operation, a DNS resolver can legitimately generate more outgoing
+traffic (counted in packets or bytes) than the incoming client traffic that
+triggered it. The DNS protocol specification does not currently specify limits
+for this amplification, but BIND implements its own limits to balance
+interoperability and safety. As a general rule, if a traffic amplification factor
+for any given scenario is lower than 100 packets, ISC does not handle the given
+scenario as a security issue. These limits are subject to change as DNS
+deployment evolves.
+
+All DNS answers received by the DNS resolver are treated as untrusted input and are
+subject to safety and correctness checks. However, protocol non-conformity
+might cause unexpected behavior. If such unexpected behavior is limited to DNS
+domains hosted on non-conformant servers, it is not deemed a security issue *in
+BIND*.
+
 .. _Access_Control_Lists:
 
 Access Control Lists