Bug 2216463

Notes for BIND 9.19.14
Security Fixes

-    The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828)

    ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4055]

New Features

-    The read timeout in rndc can now be specified on the command line using the -t option, allowing commands that take a long time to complete sufficient time to do so. [GL #4046]

-    Support for multi-signer model 2 (RFC 8901) when using inline-signing was added. [GL #2710]

-    A new option to dnssec-policy has been added, cdnskey, that allows users to enable or disable the publication of CDNSKEY records. [GL #4050]

-    The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). [GL #3978]

Removed Features

-    Special-case code that was originally added to allow GSS-TSIG to work around bugs in the Windows 2000 version of Active Directory has now been removed, since Windows 2000 is long past end-of-life. The -o option and the oldgsstsig command to nsupdate have been deprecated, and are now treated as synonyms for -g and gsstsig respectively. [GL #4012]

Feature Changes

-    If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. [GL #4049]

-    The responsiveness of named was improved, when serving as an authoritative DNS server for a delegation-heavy zone(s) shortly after loading such zone(s). [GL #4045]

Bug Fixes

-    When the stale-answer-enable option was enabled and the stale-answer-client-timeout option was enabled and larger than 0, named previously allocated two slots from the clients-per-query limit for each client and failed to gradually auto-tune its value, as configured. This has been fixed. [GL #4074]

-    Previously, it was possible for a delegation from cache to be returned to the client after the stale-answer-client-timeout duration. This has been fixed. [GL #3950]

-    BIND could allocate too big buffers when sending data via stream-based DNS transports, leading to increased memory usage. This has been fixed. [GL #4038]

Strange, there were failures at unit tests both in f37 and f38, but f39 passed fine.

There seems to be some issue with unit test shutdown.

...
[ RUN      ] udp_recv_two
(urcu-call-rcu-impl.h:call_rcu_data_init@453) Unrecoverable error: Resource temporarily unavailable
../../tests/unit-test-driver.sh: line 36: 42268 Aborted                 (core dumped) "${TEST_PROGRAM}"
FAIL udp_test (exit status: 134)
FAIL: doh_test
...
[       OK ] doh_recv_two_POST
[ RUN      ] doh_recv_two_GET
(urcu-call-rcu-impl.h:call_rcu_data_init@453) Unrecoverable error: Resource temporarily unavailable
../../tests/unit-test-driver.sh: line 36: 42925 Aborted                 (core dumped) "${TEST_PROGRAM}"
FAIL doh_test (exit status: 134)

...
[       OK ] udp_recv_one
[ RUN      ] udp_recv_two
(urcu-call-rcu-impl.h:call_rcu_data_init@453) Unrecoverable error: Resource temporarily unavailable
../../tests/unit-test-driver.sh: line 36: 42268 Aborted                 (core dumped) "${TEST_PROGRAM}"
FAIL udp_test (exit status: 134)
FAIL: doh_test

Failing on i686:
- https://koji.fedoraproject.org/koji/taskinfo?taskID=102605731 [f38]
- https://koji.fedoraproject.org/koji/taskinfo?taskID=102605785 [f37]

Other platforms passed just fine.

But rawhide passed:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-c755d4f1f1

Releases retrieved: 9.19.15
Upstream release that is considered latest: 9.19.15
Current version/release in rawhide: 9.19.14-1.fc39
URL: https://www.isc.org/bind/

Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from Anitya: https://release-monitoring.org/project/323379/


To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/bind9-next

FEDORA-2023-f97b7e76ed has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f97b7e76ed

FEDORA-2023-f97b7e76ed has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.