On Thu, Mar 10, 2022 at 8:32 AM Ralph Siemsen <[email protected]> wrote: > > Security Fixes > > The lame-ttl option controls how long named caches certain types of > broken responses from authoritative servers (see the security advisory > for details). This caching mechanism could be abused by an attacker to > significantly degrade resolver performance. The vulnerability has been > mitigated by changing the default value of lame-ttl to 0 and overriding > any explicitly set value with 0, effectively disabling this mechanism > altogether. ISC's testing has determined that doing that has a > negligible impact on resolver performance while also preventing abuse. > Administrators may observe more traffic towards servers issuing certain > types of broken responses than in previous BIND 9 releases, depending on > client query patterns. (CVE-2021-25219) > > ISC would like to thank Kishore Kumar Kothapalli of Infoblox for > bringing this vulnerability to our attention. [GL #2899] > > Signed-off-by: Ralph Siemsen <[email protected]>
This passed a-full on the autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3347 So I'll be including this in my final pull request for the 3.1.15 release.. Steve > --- > .../bind/{bind_9.11.35.bb => bind_9.11.36.bb} | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > rename meta/recipes-connectivity/bind/{bind_9.11.35.bb => bind_9.11.36.bb} > (98%) > > diff --git a/meta/recipes-connectivity/bind/bind_9.11.35.bb > b/meta/recipes-connectivity/bind/bind_9.11.36.bb > similarity index 98% > rename from meta/recipes-connectivity/bind/bind_9.11.35.bb > rename to meta/recipes-connectivity/bind/bind_9.11.36.bb > index 4652529623..872baf6d2f 100644 > --- a/meta/recipes-connectivity/bind/bind_9.11.35.bb > +++ b/meta/recipes-connectivity/bind/bind_9.11.36.bb > @@ -21,7 +21,7 @@ SRC_URI = > "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ > file://0001-avoid-start-failure-with-bind-user.patch \ > " > > -SRC_URI[sha256sum] = > "1c882705827b6aafa45d917ae3b20eccccc8d5df3c4477df44b04382e6c47562" > +SRC_URI[sha256sum] = > "c953fcb6703b395aaa53e65ff8b2869b69a5303dd60507cba2201305e1811681" > > UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"; > # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#163044): https://lists.openembedded.org/g/openembedded-core/message/163044 Mute This Topic: https://lists.openembedded.org/mt/89693205/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
