Todays bind release announcement lists 3 vulnerabilities that list the 9.16.x versions in portage as vulnerable, while the other vulnerability in this announcement wasn't assessed against <9.18.1. Here's their release announcement with links to details. BIND users- Our July 2024 maintenance release of BIND 9.18, as well as the new 9.20.0 stable branch, are available and can be downloaded from the ISC software download page, https://www.isc.org/download. In addition to bug fixes and feature improvements, these releases also contain fixes for security vulnerabilities (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076), about which more information is provided in the following Security Advisories: https://kb.isc.org/docs/cve-2024-0760 https://kb.isc.org/docs/cve-2024-1737 https://kb.isc.org/docs/cve-2024-1975 https://kb.isc.org/docs/cve-2024-4076 A summary of significant changes in the new releases can be found in their release notes: - Current supported stable branches: 9.18.28 - https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/notes.html 9.20.0 - https://downloads.isc.org/isc/bind9/9.20.0/doc/arm/html/notes.html We also have a nice blog post from Ondřej Surý on the 9.20.0 release, including performance testing results (https://www.isc.org/blogs/2024-bind920/). --- Please Note: To create an effective mitigation for CVE-2024-1737 we have introduced two new configurable limits that prevent the loading (into zones or into cache) of DNS resource records (RRs) that exceed them. We therefore recommend reading this KB article, https://kb.isc.org/docs/rrset-limits-in-zones, in case you need to change the defaults to suit your specific operational environment. We recommend that users planning to upgrade from the EOL 9.16 branch read the following document first: https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fee87f6a429d64ad7cdd55348802cd8662dc9c9c commit fee87f6a429d64ad7cdd55348802cd8662dc9c9c Author: Sam James <sam@gentoo.org> AuthorDate: 2024-08-31 05:55:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:17 +0000 profiles: mask new Bind Please unmask and test. If you have any issues, please file a new bug. The mask will be lifted by 2024-09-02. Test it before then please! Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eeefb354f217b318b31ef252c71d6cea749c0101 commit eeefb354f217b318b31ef252c71d6cea749c0101 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-16 00:32:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:17 +0000 profiles/arch/loong: mask bind[dnstap] dev-libs/fstrm not keyworded here Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Signed-off-by: Sam James <sam@gentoo.org> profiles/arch/loong/package.use.mask | 4 ++++ 1 file changed, 4 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=754524d4345dd41ff9e31cba85afb4f104a9815a commit 754524d4345dd41ff9e31cba85afb4f104a9815a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 23:44:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:16 +0000 net-dns/bind-tools: add 9.18.0 This is just a proxy for net-dns/bind. Splitting the ebuilds is *way* too fragile and gains nothing because the same software gets built again anyway, just thrown away at the end. Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind-tools/bind-tools-9.18.0.ebuild | 14 ++++++++++++++ 1 file changed, 14 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e50ac466402806e78c10a98b626bd737e0edbe49 commit e50ac466402806e78c10a98b626bd737e0edbe49 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-08-31 06:56:09 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:16 +0000 net-dns/bind: restore some old files to /var/bind We need to keep named.cache, root.cache, and localhost.zone because we installed these for years *and* configs referencing them. Dropping them suddenly means they disappear yet the configs still refer to them. It's unnecessary disruption which we should handle at another time. (No CONFIG_PROTECT applies there.) Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/bind-9.18.29.ebuild | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ec2125d3019ec659f58f471f8f3b075a1e0bb86 commit 7ec2125d3019ec659f58f471f8f3b075a1e0bb86 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-17 04:27:14 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:15 +0000 net-dns/bind: add 9.18.29, drop 9.18.0 Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/Manifest | 2 +- .../{bind-9.18.0.ebuild => bind-9.18.29.ebuild} | 63 ++++++++++------------ 2 files changed, 30 insertions(+), 35 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=654c7d2780ac64a43e9ee0c04e0964a110755f5a commit 654c7d2780ac64a43e9ee0c04e0964a110755f5a Author: Sam James <sam@gentoo.org> AuthorDate: 2022-03-16 18:54:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:14 +0000 net-dns/bind: restore USE=jemalloc We can't force jemalloc because bind-tools (which this now blocks, and installs the same tools as, and we may end up just using net-dns/bind for all of it) needs to be usable in as many places as possible and jemalloc isn't ported to all arches. We can therefore restore ~sparc. Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/bind-9.18.0.ebuild | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de3f4c4ededefda3220a8dd4c7a8622567ed2584 commit de3f4c4ededefda3220a8dd4c7a8622567ed2584 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-03-16 18:50:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:14 +0000 net-dns/bind: use standard USE=test USE=test-extra means we lose some of the niceties of emerge ... --with-test-deps and such. In order to avoid circular dependencies, use the normal pattern of: - emerge -v1o --with-test-deps net-dns/bind - FEATURES=test emerge -v1 net-dns/bind Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/bind-9.18.0.ebuild | 7 ++++--- net-dns/bind/metadata.xml | 1 - 2 files changed, 4 insertions(+), 4 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20c274b220ba9be18fa465ff03cd9e7b95b1591b commit 20c274b220ba9be18fa465ff03cd9e7b95b1591b Author: Sam James <sam@gentoo.org> AuthorDate: 2022-03-16 18:35:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:13 +0000 net-dns/bind: restore chroot support Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Bug: https://github.com/gentoo/gentoo/pull/24001 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/bind-9.18.0.ebuild | 89 +++++++++++++++++++- net-dns/bind/files/named.confd-r8 | 19 +++++ net-dns/bind/files/named.init-r15 | 170 ++++++++++++++++++++++++++++++++++++-- 3 files changed, 268 insertions(+), 10 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39301e95ce662ec2f7feda5aafc9adc32a04901d commit 39301e95ce662ec2f7feda5aafc9adc32a04901d Author: Eray Aslan <eraya@a21an.org> AuthorDate: 2022-01-29 17:01:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:13 +0000 net-dns/bind: whitespace Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Eray Aslan <eras@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/24001 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/files/named.conf-r9 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=261167b216cb2970b23e16aee3d0a76476d1adca commit 261167b216cb2970b23e16aee3d0a76476d1adca Author: Eray Aslan <eraya@a21an.org> AuthorDate: 2022-01-29 16:58:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:12 +0000 net-dns/bind: add dot and doh examples to config file Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Eray Aslan <eras@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/files/named.conf-r9 | 42 ++++++++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 15 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0795ed82642d14ebb9e975db7bfd98fbca25c770 commit 0795ed82642d14ebb9e975db7bfd98fbca25c770 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2022-01-28 14:53:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:10:11 +0000 net-dns/bind: bump to 9.18.0 - punted CHROOT stuff to simplify the ebuild and scripts - bind-tools binaries (dig, delv etc) are not stand alone binaries anymore but link to bind libraries, i.e. net-dns/bind and net-dns/bind-tools by neccesity produce the same libraries resulting in file collisions. soft blocked each other for now - net-dns/bind now produces everything, including binaries produced by net-dns/bind-tools - old style dlz drivers have been removed upstream. prefer dumping from datastore (database, ldap etc) to a file on a regular basis/on demand instead anyway - licensing: bind is mozilla-2.0 - dev-libs/jemalloc is the preferred allocator for bind-9.18. made it obligatory and dropped sparc keyword - json and zlib USE flags dropped and made obligatory. zlib is more or less necessary because of doh stuff. json requirement is a small library. xml is still behind a USE flag as it has the potential to bring in big libraries (icu etc) - python is optional and only used for testing - upstream dropped berkdb support - unified geoip and geoip2 USE flags - build system now uses a more traditional autotools stack. punted old stuff from the ebuild - do not install a zone file for loopback addresses. they are already built in - no need for named.cache as well - install named.conf.auth as a sample config file for authoratative named server. recursive server do not need one to function - openrc init script and confd revized, mostly because of punting chroot Bug: https://bugs.gentoo.org/832218 Bug: https://bugs.gentoo.org/930348 Bug: https://bugs.gentoo.org/936568 Bug: https://bugs.gentoo.org/937907 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Eray Aslan <eras@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/Manifest | 1 + net-dns/bind/bind-9.18.0.ebuild | 151 ++++++++++++++++++++++++++++++++++++++ net-dns/bind/files/named.conf-r9 | 21 ++++++ net-dns/bind/files/named.confd-r8 | 18 +++++ net-dns/bind/files/named.init-r15 | 99 +++++++++++++++++++++++++ net-dns/bind/metadata.xml | 2 + 6 files changed, 292 insertions(+)
