summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/changelog17
-rw-r--r--debian/patches/0002-Add-support-for-reporting-status-via-sd_notify.patch18
2 files changed, 26 insertions, 9 deletions
diff --git a/debian/changelog b/debian/changelog
index 108b0ba..9afab47 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+bind9 (1:9.18.24-1) bookworm-security; urgency=high
+
+ * New upstream version 9.18.24
+ - CVE-2023-4408: Parsing large DNS messages may cause excessive CPU
+ load
+ - CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion
+ failure when "nxdomain-redirect" is enabled
+ - CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an
+ assertion failure during recursive resolution
+ - CVE-2023-6516: Specific recursive query patterns may lead to an
+ out-of-memory condition
+ - CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator
+ - CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust
+ CPU resources
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 12 Feb 2024 17:28:03 +0100
+
bind9 (1:9.18.19-1~deb12u1) bookworm-security; urgency=high
* New upstream version 9.18.19
diff --git a/debian/patches/0002-Add-support-for-reporting-status-via-sd_notify.patch b/debian/patches/0002-Add-support-for-reporting-status-via-sd_notify.patch
index dec22c7..bcc4f83 100644
--- a/debian/patches/0002-Add-support-for-reporting-status-via-sd_notify.patch
+++ b/debian/patches/0002-Add-support-for-reporting-status-via-sd_notify.patch
@@ -39,7 +39,7 @@ index 57a023b..38045f0 100644
+ $(LIBXML2_LIBS)
+endif HAVE_LIBXML2
diff --git a/bin/named/server.c b/bin/named/server.c
-index 2f21fc5..6930d98 100644
+index bfe6df3..8e37c65 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -26,6 +26,10 @@
@@ -69,7 +69,7 @@ index 2f21fc5..6930d98 100644
/*%
* Maximum ADB size for views that share a cache. Use this limit to suppress
-@@ -9929,6 +9934,15 @@ view_loaded(void *arg) {
+@@ -9923,6 +9928,15 @@ view_loaded(void *arg) {
"FIPS mode is %s",
FIPS_mode() ? "enabled" : "disabled");
#endif /* ifdef HAVE_FIPS_MODE */
@@ -85,7 +85,7 @@ index 2f21fc5..6930d98 100644
atomic_store(&server->reload_status, NAMED_RELOAD_DONE);
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-@@ -10108,6 +10122,10 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
+@@ -10102,6 +10116,10 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
UNUSED(task);
INSIST(task == server->task);
@@ -96,7 +96,7 @@ index 2f21fc5..6930d98 100644
/*
* We need to shutdown the interface before going
* exclusive (which would pause the netmgr).
-@@ -10528,6 +10546,10 @@ reload(named_server_t *server) {
+@@ -10522,6 +10540,10 @@ reload(named_server_t *server) {
isc_result_t result;
atomic_store(&server->reload_status, NAMED_RELOAD_IN_PROGRESS);
@@ -107,7 +107,7 @@ index 2f21fc5..6930d98 100644
CHECK(loadconfig(server));
-@@ -10544,6 +10566,12 @@ reload(named_server_t *server) {
+@@ -10538,6 +10560,12 @@ reload(named_server_t *server) {
atomic_store(&server->reload_status, NAMED_RELOAD_FAILED);
}
cleanup:
@@ -120,7 +120,7 @@ index 2f21fc5..6930d98 100644
return (result);
}
-@@ -10903,6 +10931,10 @@ isc_result_t
+@@ -10897,6 +10925,10 @@ isc_result_t
named_server_reconfigcommand(named_server_t *server) {
isc_result_t result;
atomic_store(&server->reload_status, NAMED_RELOAD_IN_PROGRESS);
@@ -131,7 +131,7 @@ index 2f21fc5..6930d98 100644
CHECK(loadconfig(server));
-@@ -10919,6 +10951,12 @@ named_server_reconfigcommand(named_server_t *server) {
+@@ -10913,6 +10945,12 @@ named_server_reconfigcommand(named_server_t *server) {
atomic_store(&server->reload_status, NAMED_RELOAD_FAILED);
}
cleanup:
@@ -145,10 +145,10 @@ index 2f21fc5..6930d98 100644
}
diff --git a/configure.ac b/configure.ac
-index dc61f79..c3cd5d9 100644
+index 8aa7a90..8d1f0d3 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -872,6 +872,26 @@ AS_CASE([$with_zlib],
+@@ -849,6 +849,26 @@ AS_CASE([$with_zlib],
AC_SUBST([ZLIB_CFLAGS])
AC_SUBST([ZLIB_LIBS])