Merging upstream version 1:9.16.48.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

16 files changed, 164 insertions, 32 deletions

diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst
index d236f5e..30e84cb 100644
--- a/doc/notes/notes-9.16.12.rst
+++ b/doc/notes/notes-9.16.12.rst
@@ -22,7 +22,7 @@ Security Fixes
   authentication). This flaw could be exploited to crash ``named``.
   Theoretically, it also enabled remote code execution, but achieving
   the latter is very difficult in real-world conditions.
-  (CVE-2020-8625)
+  :cve:`2020-8625`
 
   This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
   Trend Micro Zero Day Initiative. :gl:`#2354`
diff --git a/doc/notes/notes-9.16.15.rst b/doc/notes/notes-9.16.15.rst
index 0cc0f49..a4b71c3 100644
--- a/doc/notes/notes-9.16.15.rst
+++ b/doc/notes/notes-9.16.15.rst
@@ -16,14 +16,14 @@ Security Fixes
 ~~~~~~~~~~~~~~
 
 - A malformed incoming IXFR transfer could trigger an assertion failure
-  in ``named``, causing it to quit abnormally. (CVE-2021-25214)
+  in ``named``, causing it to quit abnormally. :cve:`2021-25214`
 
   ISC would like to thank Greg Kuechle of SaskTel for bringing this
   vulnerability to our attention. :gl:`#2467`
 
 - ``named`` crashed when a DNAME record placed in the ANSWER section
   during DNAME chasing turned out to be the final answer to a client
-  query. (CVE-2021-25215)
+  query. :cve:`2021-25215`
 
   ISC would like to thank `Siva Kakarla`_ for bringing this
   vulnerability to our attention. :gl:`#2540`
@@ -37,7 +37,7 @@ Security Fixes
   GSSAPI authentication). This flaw could be exploited to crash
   ``named`` binaries compiled for 64-bit platforms, and could enable
   remote code execution when ``named`` was compiled for 32-bit
-  platforms. (CVE-2021-25216)
+  platforms. :cve:`2021-25216`
 
   This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
   Zero Day Initiative. :gl:`#2604`
diff --git a/doc/notes/notes-9.16.20.rst b/doc/notes/notes-9.16.20.rst
index b1ae9b2..1682f4b 100644
--- a/doc/notes/notes-9.16.20.rst
+++ b/doc/notes/notes-9.16.20.rst
@@ -17,7 +17,7 @@ Security Fixes
 
 - Fixed an assertion failure that occurred in ``named`` when it
   attempted to send a UDP packet that exceeded the MTU size, if
-  Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
+  Response Rate Limiting (RRL) was enabled. :cve:`2021-25218` :gl:`#2856`
 
 - ``named`` failed to check the opcode of responses when performing zone
   refreshes, stub zone updates, and UPDATE forwarding. This could lead
diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst
index 3403ee6..5356099 100644
--- a/doc/notes/notes-9.16.22.rst
+++ b/doc/notes/notes-9.16.22.rst
@@ -26,7 +26,7 @@ Security Fixes
   that has a negligible impact on resolver performance while also
   preventing abuse. Administrators may observe more traffic towards
   servers issuing certain types of broken responses than in previous
-  BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
+  BIND 9 releases, depending on client query patterns. :cve:`2021-25219`
 
   ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
   bringing this vulnerability to our attention. :gl:`#2899`
diff --git a/doc/notes/notes-9.16.27.rst b/doc/notes/notes-9.16.27.rst
index 842a1c4..a319f52 100644
--- a/doc/notes/notes-9.16.27.rst
+++ b/doc/notes/notes-9.16.27.rst
@@ -17,7 +17,7 @@ Security Fixes
 
 - The rules for acceptance of records into the cache have been tightened
   to prevent the possibility of poisoning if forwarders send records
-  outside the configured bailiwick. (CVE-2021-25220)
+  outside the configured bailiwick. :cve:`2021-25220`
 
   ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
   Network and Information Security Lab, Tsinghua University, and
@@ -26,7 +26,7 @@ Security Fixes
 
 - TCP connections with ``keep-response-order`` enabled could leave the
   TCP sockets in the ``CLOSE_WAIT`` state when the client did not
-  properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+  properly shut down the connection. :cve:`2022-0396` :gl:`#3112`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst
index 773bfd8..c987921 100644
--- a/doc/notes/notes-9.16.3.rst
+++ b/doc/notes/notes-9.16.3.rst
@@ -20,11 +20,11 @@ Security Fixes
    request before aborting recursion has been further limited. Root and
    top-level domain servers are no longer exempt from the
    ``max-recursion-queries`` limit. Fetches for missing name server
-   address records are limited to 4 for any domain. This issue was
-   disclosed in CVE-2020-8616. :gl:`#1388`
+   address records are limited to 4 for any domain. :cve:`2020-8616`
+   :gl:`#1388`
 
 -  Replaying a TSIG BADTIME response as a request could trigger an
-   assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
+   assertion failure. :cve:`2020-8617` :gl:`#1703`
 
 Known Issues
 ~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.33.rst b/doc/notes/notes-9.16.33.rst
index 876aab8..6e152b5 100644
--- a/doc/notes/notes-9.16.33.rst
+++ b/doc/notes/notes-9.16.33.rst
@@ -18,7 +18,7 @@ Security Fixes
 - Previously, there was no limit to the number of database lookups
   performed while processing large delegations, which could be abused to
   severely impact the performance of :iscman:`named` running as a
-  recursive resolver. This has been fixed. (CVE-2022-2795)
+  recursive resolver. This has been fixed. :cve:`2022-2795`
 
   ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
   Bremler-Barr & Shani Stajnrod from Reichman University for bringing
@@ -27,14 +27,14 @@ Security Fixes
 - :iscman:`named` running as a resolver with the
   ``stale-answer-client-timeout`` option set to ``0`` could crash with
   an assertion failure, when there was a stale CNAME in the cache for
-  the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517`
+  the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517`
 
 - A memory leak was fixed that could be externally triggered in the
-  DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177)
+  DNSSEC verification code for the ECDSA algorithm. :cve:`2022-38177`
   :gl:`#3487`
 
 - Memory leaks were fixed that could be externally triggered in the
-  DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+  DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178`
   :gl:`#3487`
 
 Feature Changes
diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst
index 9b0393c..4d24781 100644
--- a/doc/notes/notes-9.16.37.rst
+++ b/doc/notes/notes-9.16.37.rst
@@ -19,14 +19,14 @@ Security Fixes
   available memory. This flaw was addressed by adding a new
   ``update-quota`` option that controls the maximum number of
   outstanding DNS UPDATE messages that :iscman:`named` can hold in a
-  queue at any given time (default: 100). (CVE-2022-3094)
+  queue at any given time (default: 100). :cve:`2022-3094`
 
   ISC would like to thank Rob Schulhof from Infoblox for bringing this
   vulnerability to our attention. :gl:`#3523`
 
 - :iscman:`named` could crash with an assertion failure when an RRSIG
   query was received and ``stale-answer-client-timeout`` was set to a
-  non-zero value. This has been fixed. (CVE-2022-3736)
+  non-zero value. This has been fixed. :cve:`2022-3736`
 
   ISC would like to thank Borja Marcos from Sarenet (with assistance by
   Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
@@ -36,7 +36,7 @@ Security Fixes
   ``stale-answer-client-timeout`` option set to any value greater than
   ``0`` could crash with an assertion failure, when the
   ``recursive-clients`` soft quota was reached. This has been fixed.
-  (CVE-2022-3924)
+  :cve:`2022-3924`
 
   ISC would like to thank Maksym Odinintsev from AWS for bringing this
   vulnerability to our attention. :gl:`#3619`
diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst
index 6dd03f6..eb8c200 100644
--- a/doc/notes/notes-9.16.4.rst
+++ b/doc/notes/notes-9.16.4.rst
@@ -16,12 +16,11 @@ Security Fixes
 ~~~~~~~~~~~~~~
 
 -  It was possible to trigger an assertion when attempting to fill an
-   oversized TCP buffer. This was disclosed in CVE-2020-8618.
-   :gl:`#1850`
+   oversized TCP buffer. :cve:`2020-8618` :gl:`#1850`
 
 -  It was possible to trigger an INSIST failure when a zone with an
-   interior wildcard label was queried in a certain pattern. This was
-   disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
+   interior wildcard label was queried in a certain pattern.
+   :cve:`2020-8619` :gl:`#1111` :gl:`#1718`
 
 New Features
 ~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.42.rst b/doc/notes/notes-9.16.42.rst
index 85b0ede..423ddfa 100644
--- a/doc/notes/notes-9.16.42.rst
+++ b/doc/notes/notes-9.16.42.rst
@@ -17,7 +17,7 @@ Security Fixes
 
 - The overmem cleaning process has been improved, to prevent the cache
   from significantly exceeding the configured ``max-cache-size`` limit.
-  (CVE-2023-2828)
+  :cve:`2023-2828`
 
   ISC would like to thank Shoham Danino from Reichman University, Anat
   Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
@@ -28,7 +28,7 @@ Security Fixes
   refresh the stale data in cache. If the fetch is aborted for exceeding
   the recursion quota, it was possible for :iscman:`named` to enter an
   infinite callback loop and crash due to stack overflow. This has been
-  fixed. (CVE-2023-2911) :gl:`#4089`
+  fixed. :cve:`2023-2911` :gl:`#4089`
 
 Bug Fixes
 ~~~~~~~~~
diff --git a/doc/notes/notes-9.16.44.rst b/doc/notes/notes-9.16.44.rst
index 81c157a..b43db5a 100644
--- a/doc/notes/notes-9.16.44.rst
+++ b/doc/notes/notes-9.16.44.rst
@@ -18,7 +18,7 @@ Security Fixes
 - Previously, sending a specially crafted message over the control
   channel could cause the packet-parsing code to run out of available
   stack memory, causing :iscman:`named` to terminate unexpectedly.
-  This has been fixed. (CVE-2023-3341)
+  This has been fixed. :cve:`2023-3341`
 
   ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
   bringing this vulnerability to our attention. :gl:`#4152`
diff --git a/doc/notes/notes-9.16.45.rst b/doc/notes/notes-9.16.45.rst
new file mode 100644
index 0000000..4f83e56
--- /dev/null
+++ b/doc/notes/notes-9.16.45.rst
@@ -0,0 +1,26 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.45
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The IP addresses for B.ROOT-SERVERS.NET have been updated to
+  170.247.170.2 and 2801:1b8:10::b. :gl:`#4101`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.46.rst b/doc/notes/notes-9.16.46.rst
new file mode 100644
index 0000000..b0af65a
--- /dev/null
+++ b/doc/notes/notes-9.16.46.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.46
+----------------------
+
+.. note::
+
+   The BIND 9.16.46 release was withdrawn after the discovery of a
+   regression in a security fix in it during pre-release testing. ISC
+   would like to acknowledge the assistance of Curtis Tuplin of SaskTel.
diff --git a/doc/notes/notes-9.16.47.rst b/doc/notes/notes-9.16.47.rst
new file mode 100644
index 0000000..bf39c3d
--- /dev/null
+++ b/doc/notes/notes-9.16.47.rst
@@ -0,0 +1,20 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.47
+----------------------
+
+.. note::
+
+   The BIND 9.16.47 release was withdrawn after the discovery of a
+   regression in a security fix in it during pre-release testing. ISC
+   would like to acknowledge the assistance of Vinzenz Vogel and Daniel
+   Stirnimann of SWITCH.
diff --git a/doc/notes/notes-9.16.48.rst b/doc/notes/notes-9.16.48.rst
new file mode 100644
index 0000000..917e551
--- /dev/null
+++ b/doc/notes/notes-9.16.48.rst
@@ -0,0 +1,69 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.48
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Validating DNS messages containing a lot of DNSSEC signatures could
+  cause excessive CPU load, leading to a denial-of-service condition.
+  This has been fixed. :cve:`2023-50387`
+
+  ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
+  and Michael Waidner from the German National Research Center for
+  Applied Cybersecurity ATHENE for bringing this vulnerability to our
+  attention. :gl:`#4424`
+
+- Preparing an NSEC3 closest encloser proof could cause excessive CPU
+  load, leading to a denial-of-service condition. This has been fixed.
+  :cve:`2023-50868` :gl:`#4459`
+
+- Parsing DNS messages with many different names could cause excessive
+  CPU load. This has been fixed. :cve:`2023-4408`
+
+  ISC would like to thank Shoham Danino from Reichman University, Anat
+  Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
+  University, and Yuval Shavitt from Tel-Aviv University for bringing
+  this vulnerability to our attention. :gl:`#4234`
+
+- Specific queries could cause :iscman:`named` to crash with an
+  assertion failure when ``nxdomain-redirect`` was enabled. This has
+  been fixed. :cve:`2023-5517` :gl:`#4281`
+
+- A bad interaction between DNS64 and serve-stale could cause
+  :iscman:`named` to crash with an assertion failure, when both of these
+  features were enabled. This has been fixed. :cve:`2023-5679`
+  :gl:`#4334`
+
+- Query patterns that continuously triggered cache database maintenance
+  could cause an excessive amount of memory to be allocated, exceeding
+  ``max-cache-size`` and potentially leading to all available memory on
+  the host running :iscman:`named` being exhausted. This has been fixed.
+  :cve:`2023-6516`
+
+  ISC would like to thank Infoblox for bringing this vulnerability to
+  our attention. :gl:`#4383`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
+  aes;``) has been deprecated and will be removed in a future release.
+  Please use the current default, SipHash-2-4, instead. :gl:`#4421`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.6.rst b/doc/notes/notes-9.16.6.rst
index 1357f1d..75cee14 100644
--- a/doc/notes/notes-9.16.6.rst
+++ b/doc/notes/notes-9.16.6.rst
@@ -16,7 +16,7 @@ Security Fixes
 ~~~~~~~~~~~~~~
 
 - It was possible to trigger an assertion failure by sending a specially
-  crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+  crafted large TCP DNS message. :cve:`2020-8620`
 
   ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
   bringing this vulnerability to our attention. :gl:`#1996`
@@ -25,14 +25,13 @@ Security Fixes
   query resolution scenarios where QNAME minimization and forwarding
   were both enabled. To prevent such crashes, QNAME minimization is now
   always disabled for a given query resolution process, if forwarders
-  are used at any point. This was disclosed in CVE-2020-8621.
+  are used at any point. :cve:`2020-8621`
 
   ISC would like to thank Joseph Gullo for bringing this vulnerability
   to our attention. :gl:`#1997`
 
 - It was possible to trigger an assertion failure when verifying the
-  response to a TSIG-signed request. This was disclosed in
-  CVE-2020-8622.
+  response to a TSIG-signed request. :cve:`2020-8622`
 
   ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
   of Oracle for bringing this vulnerability to our attention.
@@ -40,8 +39,8 @@ Security Fixes
 
 - When BIND 9 was compiled with native PKCS#11 support, it was possible
   to trigger an assertion failure in code determining the number of bits
-  in the PKCS#11 RSA public key with a specially crafted packet. This
-  was disclosed in CVE-2020-8623.
+  in the PKCS#11 RSA public key with a specially crafted packet.
+  :cve:`2020-8623`
 
   ISC would like to thank Lyu Chiy for bringing this vulnerability to
   our attention. :gl:`#2037`
@@ -50,7 +49,7 @@ Security Fixes
   as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
   to update names outside of the specified subdomains. The problem was
   fixed by making sure ``subdomain`` rules are again processed as
-  described in the ARM. This was disclosed in CVE-2020-8624.
+  described in the ARM. :cve:`2020-8624`
 
   ISC would like to thank Joop Boonen of credativ GmbH for bringing this
   vulnerability to our attention. :gl:`#2055`