On Wed, Aug 2, 2023 at 4:24 PM Yi Zhao <[email protected]> wrote: > > > Hi Steve, > > > On 6/27/23 14:32, Siddharth wrote: > > From: Siddharth Doshi <[email protected]> > > > > - Remove configure options no longer supported online. > > > > Changelog: > > ========= > > [security] A query that prioritizes stale data over lookup > > triggers a fetch to refresh the stale data in cache. > > If the fetch is aborted for exceeding the recursion > > quota, it was possible for 'named' to enter an infinite > > callback loop and crash due to stack overflow. This has > > been fixed. (CVE-2023-2911) [GL #4089] > > > > [security] Improve the overmem cleaning process to prevent the > > cache going over the configured limit. (CVE-2023-2828) > > [GL #4055] > > > There are some CVE fixes in this minor update. Is there any plan to > backport it to mickledore ?
I saw a couple of commits with function changes in this update, so I didn't take it. If you feel that these aren't an issue please send a mickledore patch to the list for review, preferably with a comment on why the function changes aren't an issue. Steve > > [performance] Reduce memory consumption by allocating properly > > sized send buffers for stream-based transports. > > [GL #4038] > > > > [bug] Fix a 'clients-per-query' miscalculation bug. When the > > 'stale-answer-enable' options was enabled and the > > 'stale-answer-client-timeout' option was enabled and > > larger than 0, named was taking two places from the > > 'clients-per-query' limit for each client and was > > failing to gradually auto-tune its value, as configured. > > [GL #4074] > > > > [func] Add "ClientQuota" statistics channel counter, which > > indicates the number of the resolver's spilled queries > > due to reaching the clients per query quota. [GL !7978] > > > > [bug] Fix a serve-stale bug where a delegation from cache > > could be returned to the client. [GL #3950] > > > > [cleanup] Remove configure checks for epoll, kqueue and > > /dev/poll. [GL #4098] > > > > [func] The "tkey-dhkey" option has been deprecated; a > > warning will be logged when it is used. In a future > > release, Diffie-Hellman TKEY mode will be removed. > > [GL #3905] > > > > [bug] The session key object could be incorrectly added > > to multiple different views' keyrings. [GL #4079] > > > > [bug] Fix an interfacemgr use-after-free error in > > zoneconf.c:isself(). [GL #3765] > > > > [test] Add support for using pytest & pytest-xdist to > > execute the system test suite. [GL #3978] > > > > [bug] BIND could get stuck on reconfiguration when a > > 'listen' statement for HTTP is removed from the > > configuration. That has been fixed. [GL #4071] > > > > [bug] Properly process extra "nameserver" lines in > > resolv.conf otherwise the next line is not properly > > processed. [GL #4066] > > > > [bug] named could crash when deleting inline-signing zones > > with "rndc delzone". [GL #4054] > > > > [bug] Fix a logic error in dighost.c which could call the > > dighost_shutdown() callback twice and cause problems > > if the callback function was not idempotent. [GL #4039] > > > > Signed-off-by: Siddharth Doshi <[email protected]> > > --- > > .../0001-avoid-start-failure-with-bind-user.patch | 0 > > ...0001-named-lwresd-V-and-start-log-hide-build-options.patch | 0 > > ...bind-ensure-searching-for-json-headers-searches-sysr.patch | 0 > > .../bind/{bind-9.18.15 => bind-9.18.16}/bind9 | 0 > > .../bind/{bind-9.18.15 => bind-9.18.16}/conf.patch | 0 > > .../bind/{bind-9.18.15 => bind-9.18.16}/generate-rndc-key.sh | 0 > > .../init.d-add-support-for-read-only-rootfs.patch | 0 > > .../make-etc-initd-bind-stop-work.patch | 0 > > .../bind/{bind-9.18.15 => bind-9.18.16}/named.service | 0 > > .../bind/{bind_9.18.15.bb => bind_9.18.16.bb} | 4 ++-- > > 10 files changed, 2 insertions(+), 2 deletions(-) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/0001-avoid-start-failure-with-bind-user.patch (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/0001-named-lwresd-V-and-start-log-hide-build-options.patch > > (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/bind-ensure-searching-for-json-headers-searches-sysr.patch > > (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/bind9 (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/conf.patch (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/generate-rndc-key.sh (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/init.d-add-support-for-read-only-rootfs.patch (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/make-etc-initd-bind-stop-work.patch (100%) > > rename meta/recipes-connectivity/bind/{bind-9.18.15 => > > bind-9.18.16}/named.service (100%) > > rename meta/recipes-connectivity/bind/{bind_9.18.15.bb => > > bind_9.18.16.bb} (96%) > > > > diff --git > > a/meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch > > > > b/meta/recipes-connectivity/bind/bind-9.18.16/0001-avoid-start-failure-with-bind-user.patch > > similarity index 100% > > rename from > > meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch > > rename to > > meta/recipes-connectivity/bind/bind-9.18.16/0001-avoid-start-failure-with-bind-user.patch > > diff --git > > a/meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch > > > > b/meta/recipes-connectivity/bind/bind-9.18.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch > > similarity index 100% > > rename from > > meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch > > rename to > > meta/recipes-connectivity/bind/bind-9.18.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch > > diff --git > > a/meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch > > > > b/meta/recipes-connectivity/bind/bind-9.18.16/bind-ensure-searching-for-json-headers-searches-sysr.patch > > similarity index 100% > > rename from > > meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch > > rename to > > meta/recipes-connectivity/bind/bind-9.18.16/bind-ensure-searching-for-json-headers-searches-sysr.patch > > diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/bind9 > > b/meta/recipes-connectivity/bind/bind-9.18.16/bind9 > > similarity index 100% > > rename from meta/recipes-connectivity/bind/bind-9.18.15/bind9 > > rename to meta/recipes-connectivity/bind/bind-9.18.16/bind9 > > diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/conf.patch > > b/meta/recipes-connectivity/bind/bind-9.18.16/conf.patch > > similarity index 100% > > rename from meta/recipes-connectivity/bind/bind-9.18.15/conf.patch > > rename to meta/recipes-connectivity/bind/bind-9.18.16/conf.patch > > diff --git > > a/meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh > > b/meta/recipes-connectivity/bind/bind-9.18.16/generate-rndc-key.sh > > similarity index 100% > > rename from meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh > > rename to meta/recipes-connectivity/bind/bind-9.18.16/generate-rndc-key.sh > > diff --git > > a/meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch > > > > b/meta/recipes-connectivity/bind/bind-9.18.16/init.d-add-support-for-read-only-rootfs.patch > > similarity index 100% > > rename from > > meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch > > rename to > > meta/recipes-connectivity/bind/bind-9.18.16/init.d-add-support-for-read-only-rootfs.patch > > diff --git > > a/meta/recipes-connectivity/bind/bind-9.18.15/make-etc-initd-bind-stop-work.patch > > > > b/meta/recipes-connectivity/bind/bind-9.18.16/make-etc-initd-bind-stop-work.patch > > similarity index 100% > > rename from > > meta/recipes-connectivity/bind/bind-9.18.15/make-etc-initd-bind-stop-work.patch > > rename to > > meta/recipes-connectivity/bind/bind-9.18.16/make-etc-initd-bind-stop-work.patch > > diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/named.service > > b/meta/recipes-connectivity/bind/bind-9.18.16/named.service > > similarity index 100% > > rename from meta/recipes-connectivity/bind/bind-9.18.15/named.service > > rename to meta/recipes-connectivity/bind/bind-9.18.16/named.service > > diff --git a/meta/recipes-connectivity/bind/bind_9.18.15.bb > > b/meta/recipes-connectivity/bind/bind_9.18.16.bb > > similarity index 96% > > rename from meta/recipes-connectivity/bind/bind_9.18.15.bb > > rename to meta/recipes-connectivity/bind/bind_9.18.16.bb > > index 80164aad87..1b1649566a 100644 > > --- a/meta/recipes-connectivity/bind/bind_9.18.15.bb > > +++ b/meta/recipes-connectivity/bind/bind_9.18.16.bb > > @@ -20,7 +20,7 @@ SRC_URI = > > "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ > > file://0001-avoid-start-failure-with-bind-user.patch \ > > " > > > > -SRC_URI[sha256sum] = > > "28ae8db14862801bc2bd4fd820db00667d3f1ff9ae9cc2d06a0ef7810fed7a4e" > > +SRC_URI[sha256sum] = > > "c88234fe07ee75c3c8a9e59152fee64b714643de8e22cf98da3db4d0b57e0775" > > > > UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"; > > # follow the ESV versions divisible by 2 > > @@ -39,7 +39,7 @@ PACKAGECONFIG[readline] = > > "--with-readline=readline,,readline" > > PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit" > > PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2" > > > > -EXTRA_OECONF = " --disable-devpoll --disable-auto-validation > > --enable-epoll \ > > +EXTRA_OECONF = " --disable-auto-validation \ > > --with-gssapi=no --with-lmdb=no --with-zlib \ > > --sysconfdir=${sysconfdir}/bind \ > > --with-openssl=${STAGING_DIR_HOST}${prefix} \ > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185496): https://lists.openembedded.org/g/openembedded-core/message/185496 Mute This Topic: https://lists.openembedded.org/mt/99804753/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
