2216463 – bind9-next-9.19.15 is available

Bug 2216463 - bind9-next-9.19.15 is available

Summary: bind9-next-9.19.15 is available

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind9-next
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Petr Menšík
QA Contact:
Docs Contact:
URL:	https://downloads.isc.org/isc/bind9/9...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-21 13:57 UTC by Upstream Release Monitoring
Modified:	2023-07-20 08:30 UTC (History)
CC List:	3 users (show)
Fixed In Version:	bind9-next-9.19.14-1.fc39 bind9-next-9.19.15-1.fc39
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	Security fix: - The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828) New feature: - Support for multi-signer model 2 (RFC 8901) - New timeout support for in rndc: -t parameter - New cdnskey option in dnssec-policy, can enable publishing or not of CDNSKEY records.
Clone Of:
Environment:
Last Closed:	2023-07-20 08:30:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Internet Systems Consortium (ISC)	isc-projects bind9 issues 2710	None	closed	Allow for arbitrary DNSKEY/CDS/CDNSKEY records to be published	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 3950	None	closed	Unexpected NODATA answers instead of successful response or SERVFAIL with serve-stale answers enabled and serve-stale-cl...	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 3978	None	closed	Support using pytest to execute the system tests	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 4012	None	closed	remove win2k GSS-TSIG hacks	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 4038	None	None	None	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 4045	None	closed	glue-cache scales very poorly on multi-CPU systems	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 4046	None	closed	[ISC-support #22037] rndc times out in 30 seconds when using BIND 9.18.11	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 4049	None	closed	Detect FORMERR with an echoed DNS COOKIE client cookie and retry without DNS COOKIE	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 4050	None	closed	Add option to not generate CDNSKEY record	2023-06-26 10:35:35 UTC
Internet Systems Consortium (ISC)	isc-projects bind9 issues 4074	None	closed	Problem with stale-answer-enable true and clients-per-query increased	2023-06-26 10:35:35 UTC

Description Upstream Release Monitoring 2023-06-21 13:57:23 UTC

Releases retrieved: 9.19.14
Upstream release that is considered latest: 9.19.14
Current version/release in rawhide: 9.19.13-1.fc39
URL: https://www.isc.org/bind/

Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from Anitya: https://release-monitoring.org/project/323379/


To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/bind9-next

Comment 1 Petr Menšík 2023-06-26 10:35:35 UTC

Notes for BIND 9.19.14
Security Fixes

- The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828)

ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4055]

New Features

- The read timeout in rndc can now be specified on the command line using the -t option, allowing commands that take a long time to complete sufficient time to do so. [GL #4046]

- Support for multi-signer model 2 (RFC 8901) when using inline-signing was added. [GL #2710]

- A new option to dnssec-policy has been added, cdnskey, that allows users to enable or disable the publication of CDNSKEY records. [GL #4050]

- The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). [GL #3978]

Removed Features

- Special-case code that was originally added to allow GSS-TSIG to work around bugs in the Windows 2000 version of Active Directory has now been removed, since Windows 2000 is long past end-of-life. The -o option and the oldgsstsig command to nsupdate have been deprecated, and are now treated as synonyms for -g and gsstsig respectively. [GL #4012]

Feature Changes

- If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. [GL #4049]

- The responsiveness of named was improved, when serving as an authoritative DNS server for a delegation-heavy zone(s) shortly after loading such zone(s). [GL #4045]

Bug Fixes

- When the stale-answer-enable option was enabled and the stale-answer-client-timeout option was enabled and larger than 0, named previously allocated two slots from the clients-per-query limit for each client and failed to gradually auto-tune its value, as configured. This has been fixed. [GL #4074]

- Previously, it was possible for a delegation from cache to be returned to the client after the stale-answer-client-timeout duration. This has been fixed. [GL #3950]

- BIND could allocate too big buffers when sending data via stream-based DNS transports, leading to increased memory usage. This has been fixed. [GL #4038]

Comment 2 Petr Menšík 2023-06-26 11:25:03 UTC

Strange, there were failures at unit tests both in f37 and f38, but f39 passed fine.

There seems to be some issue with unit test shutdown.

...
[ RUN      ] udp_recv_two
(urcu-call-rcu-impl.h:call_rcu_data_init@453) Unrecoverable error: Resource temporarily unavailable
../../tests/unit-test-driver.sh: line 36: 42268 Aborted                 (core dumped) "${TEST_PROGRAM}"
FAIL udp_test (exit status: 134)
FAIL: doh_test
...
[       OK ] doh_recv_two_POST
[ RUN      ] doh_recv_two_GET
(urcu-call-rcu-impl.h:call_rcu_data_init@453) Unrecoverable error: Resource temporarily unavailable
../../tests/unit-test-driver.sh: line 36: 42925 Aborted                 (core dumped) "${TEST_PROGRAM}"
FAIL doh_test (exit status: 134)

...
[       OK ] udp_recv_one
[ RUN      ] udp_recv_two
(urcu-call-rcu-impl.h:call_rcu_data_init@453) Unrecoverable error: Resource temporarily unavailable
../../tests/unit-test-driver.sh: line 36: 42268 Aborted                 (core dumped) "${TEST_PROGRAM}"
FAIL udp_test (exit status: 134)
FAIL: doh_test

Failing on i686:
- https://koji.fedoraproject.org/koji/taskinfo?taskID=102605731 [f38]
- https://koji.fedoraproject.org/koji/taskinfo?taskID=102605785 [f37]

Other platforms passed just fine.

Comment 3 Petr Menšík 2023-06-26 11:31:21 UTC

But rawhide passed:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-c755d4f1f1

Comment 4 Upstream Release Monitoring 2023-07-19 09:11:58 UTC

Releases retrieved: 9.19.15
Upstream release that is considered latest: 9.19.15
Current version/release in rawhide: 9.19.14-1.fc39
URL: https://www.isc.org/bind/

Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from Anitya: https://release-monitoring.org/project/323379/


To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/bind9-next

Comment 5 Fedora Update System 2023-07-20 08:28:56 UTC

FEDORA-2023-f97b7e76ed has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f97b7e76ed

Comment 6 Fedora Update System 2023-07-20 08:30:55 UTC

FEDORA-2023-f97b7e76ed has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.