[Buildroot] [PATCH v2, 1/1] package/bind: security bump to version 9.16.44

[Buildroot] [PATCH v2, 1/1] package/bind: security bump to version 9.16.44

[Fabrice Fontaine]

Fix CVE-2023-3341: The code that processes control channel messages sent
to `named` calls certain functions recursively during packet parsing.
Recursion depth is only limited by the maximum accepted packet size;
depending on the environment, this may cause the packet-parsing code to
run out of available stack memory, causing `named` to terminate
unexpectedly. Since each incoming control channel message is fully
parsed before its contents are authenticated, exploiting this flaw does
not require the attacker to hold a valid RNDC key; only network access
to the control channel's configured TCP port is necessary. This issue
affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18,
9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1
through 9.18.18-S1.

https://ftp.isc.org/isc/bind9/9.16.44/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2:
 - fix tarball hash

 package/bind/bind.hash | 4 ++--
 package/bind/bind.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/bind/bind.hash b/package/bind/bind.hash
index a8c15f2a12..d500b61128 100644
--- a/package/bind/bind.hash
+++ b/package/bind/bind.hash
@@ -1,4 +1,4 @@
-# Verified from https://ftp.isc.org/isc/bind9/9.16.42/bind-9.16.42.tar.xz.asc
+# Verified from https://ftp.isc.org/isc/bind9/9.16.44/bind-9.16.44.tar.xz.asc
 # with key AADBBA5074F1402F7B69D56BC5B4EE931A9F9DFD
-sha256  a8b51c6bfdf3ab6885102f764c2418e037897b7ea46a09f8f07876fa11a6c0b3  bind-9.16.42.tar.xz
+sha256  cfaa953c36d5ca42d9584fcf9653d07c85527b59687e7c4d4cb8071272db6754  bind-9.16.44.tar.xz
 sha256  13491a682dc0f5ee2273cebd3949e2be62f9470fe659419a03a308d4f444773b  COPYRIGHT
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 618b5b9278..03ffcbec42 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.16.42
+BIND_VERSION = 9.16.44
 BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 # bind does not support parallel builds.
-- 
2.40.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2, 1/1] package/bind: security bump to version 9.16.44

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-3341: The code that processes control channel messages sent
 > to `named` calls certain functions recursively during packet parsing.
 > Recursion depth is only limited by the maximum accepted packet size;
 > depending on the environment, this may cause the packet-parsing code to
 > run out of available stack memory, causing `named` to terminate
 > unexpectedly. Since each incoming control channel message is fully
 > parsed before its contents are authenticated, exploiting this flaw does
 > not require the attacker to hold a valid RNDC key; only network access
 > to the control channel's configured TCP port is necessary. This issue
 > affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18,
 > 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1
 > through 9.18.18-S1.

 > https://ftp.isc.org/isc/bind9/9.16.44/CHANGES

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 > ---
 > Changes v1 -> v2:
 >  - fix tarball hash

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2, 1/1] package/bind: security bump to version 9.16.44

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-3341: The code that processes control channel messages sent
 > to `named` calls certain functions recursively during packet parsing.
 > Recursion depth is only limited by the maximum accepted packet size;
 > depending on the environment, this may cause the packet-parsing code to
 > run out of available stack memory, causing `named` to terminate
 > unexpectedly. Since each incoming control channel message is fully
 > parsed before its contents are authenticated, exploiting this flaw does
 > not require the attacker to hold a valid RNDC key; only network access
 > to the control channel's configured TCP port is necessary. This issue
 > affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18,
 > 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1
 > through 9.18.18-S1.

 > https://ftp.isc.org/isc/bind9/9.16.44/CHANGES

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 > ---
 > Changes v1 -> v2:
 >  - fix tarball hash

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot