- bind
-
- Update named.root to latest version
- Update to release 9.18.33
Security Fixes:
* DNS-over-HTTPS flooding fixes.
Fix DNS-over-HTTPS implementation issues that arise under heavy
query load. Optimize resource usage for named instances that
accept queries over DNS-over-HTTPS.
Previously, named processed all incoming HTTP/2 data at once,
which could overwhelm the server, especially when dealing with
clients that sent requests but did not wait for responses. That
has been fixed. Now, named handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many
requests at once.
In addition, named now evaluates excessive streams opened by
clients that include no DNS data, which is considered
“flooding.” It logs these clients and drops connections from
them.
In some cases, named could leave DNS-over-HTTPS connections in
the CLOSE_WAIT state indefinitely. That has also been fixed.
(CVE-2024-12705)
[bsc#1236597]
* Limit additional section processing for large RDATA sets.
When answering queries, don’t add data to the additional
section if the answer has more than 13 names in the RDATA. This
limits the number of lookups into the database(s) during a
single client query, reducing the query-processing load.
(CVE-2024-11187)
[bsc#1236596]
New Features:
* Add a new option to configure the maximum number of outgoing
queries per client request.
* The configuration option max-query-count sets how many outgoing
queries per client request are allowed. The existing
max-recursion-queries value is the number of permissible
queries for a single name and is reset on every CNAME
redirection. This new option is a global limit on the client
request. The default is 200.
* The default for max-recursion-queries is changed from 32 to 50.
This allows named to send a few more queries while looking up a
single name.
* Print the full path of the working directory in startup log
messages.
named now prints its initial working directory during startup,
and the changed working directory when loading or reloading its
configuration file, if it has a valid directory option defined.
* Added WALLET type.
Add the new record type WALLET (262). This provides a mapping
from a domain name to a cryptographic currency wallet. Multiple
mappings can exist if multiple records exist.
* Update built-in bind.keys file with the new 2025 IANA root key.
* Add an initial-ds entry to bind.keys for the new root key, ID
38696, which is scheduled for publication in January 2025.
Feature Changes:
* Tighten max-recursion-queries and add max-query-restarts
configuration statement.
There were cases when the max-recursion-queries quota was
ineffective. It was possible to craft zones that would cause a
resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by
correcting errors in the implementation of
max-recursion-queries and by reducing the default value from
100 to 32.
In addition, a new max-query-restarts configuration statement
has been added, which limits the number of times a recursive
server will follow CNAME or DNAME records before terminating
resolution. This was previously a hard-coded limit of 16 but is
now configurable with a default value of 11.
* Raise the log level of priming failures.
When a priming query is complete, it was previously logged at
level DEBUG(1), regardless of success or failure. It is now
logged to NOTICE in the case of failure.
* Add a compatibility shim for older libuv versions (< 1.19.0)
The function uv_stream_get_write_queue_size() is supported only
in relatively new versions of libuv (1.19.0 or higher). Provide
a compatibility shim for this function so BIND 9 can be built
in environments with older libuv versions.
* Improve performance for queries that require an NSEC3 wildcard
proof.
Rather than starting from the longest matching part of the
requested name, lookup the shortest partial match. Most of the
time this will be the actual closest encloser.
* Follow the number of CPUs set by taskset/cpuset.
Administrators may wish to constrain the set of cores that
named runs on via the taskset, cpuset, or numactl programs (or
equivalents on other OSes).
If the admin has used taskset, named now automatically uses the
given number of CPUs rather than the system-wide count.
* Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
This change allows fallback from an IXFR failure to AXFR when
the reason is DNS_R_TOOMANYRECORDS.
* Emit more helpful log messages for exceeding
max-records-per-type.
* The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log
includes the owner name and type, corresponding zone name, and
the limit value. It will be emitted on loading a zone file,
inbound zone transfer (both AXFR and IXFR), handling a DDNS
update, or updating a cache DB. It’s especially helpful in the
case of zone transfer, since the secondary side doesn’t have
direct access to the offending zone data.
* It could also be used for max-types-per-name, but this change
doesn’t implement it yet as it’s much less likely to happen in
practice.
* Harden key management when key files have become unavailable.
* Prior to doing key management, BIND 9 will check if the key
files on disk match the expected keys. If key files for
previously observed keys have become unavailable, this will
prevent the internal key manager from running.
Removed Features:
* Move contributed DLZ modules into a separate repository. DLZ
modules should not be used except in testing. The DLZ modules
were not maintained, the DLZ interface itself is going to be
scheduled for removal, and the DLZ interface is blocking. Any
module that blocks the query to the database blocks the whole
server. The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
Bug Fixes:
For a complete list of bug fixes, see:
* Bind Release Notes
https://bind9.readthedocs.io/en/v9.18.33/notes.html
* The changelog in the doc rpm at
/usr/share/doc/packages/bind/arm/html/changelog.html
- curl
-
- Security fix: [bsc#1236590, CVE-2025-0725]
* content_encoding: drop support for zlib before 1.2.0.4
* content_encoding: put the decomp buffers into the writer structs
* Add curl-CVE-2025-0725.patch
- Security fix: [bsc#1236588, CVE-2025-0167]
* netrc: 'default' with no credentials is not a match
* Add curl-CVE-2025-0167.patch
- libxml2
-
- security update
- added patches
fix CVE-2022-49043 [bsc#1236460], use-after-free in xmlXIncludeAddNode
+ libxml2-CVE-2022-49043.patch
- libzypp
-
- Create '.keep_packages' in the package cache dir to enforce
keeping downloaded packages of all repos cahed there (bsc#1232458)
- version 17.35.19 (35)
- Fix missing UID checks in repomanager workflow (fixes #603)
- version 17.35.18 (35)
- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28)
- Fix 'zypper ps' when running in incus container (bsc#1229106)
Should apply to lxc and lxd containers as well.
- Re-enable 'rpm --runposttrans' usage for chrooted systems
(bsc#1216091)
- version 17.35.17 (35)
- permissions
-
- Update to version 20240826:
* permissions: remove legacy and nonsensical entries
* permissions: remove traceroute entry
* permissions: remove outdated sudo directories
* permissions: remove legacy RPM directory entries
* permissions: remove some static /var/spool/* dirs
* permissions: remove unnecessary static dirs and devices (bsc#1235873)
- _service: switch to "manual"
- python-instance-billing-flavor-check
-
- Version 0.1.1 (bsc#1235991, bsc#1235992)
+ Add time stamp to log
- From version 0.1.0
+ Doc improvements clarifying exit staus codes
- supportutils-plugin-ha-sap
-
- Update to version 0.0.7+git.1737125956.a7079fc:
* Call saphana-check.sh if the script is available in
/usr/lib/saphana-checks (SUSE package) or in
/opt/sap/saphana-checks (SAP package)
(jsc#PED-11748, jsc#PED-11747)
* to support 'trento checks' on supportutils content
collect additional information:
/usr/sap/hostctrl/exe/saphostctrl -function Ping
corosync-cmapctl -b
su - <SIDADM> -c disp+work
su - <SIDADM> -c 'sapcontrol -nr <NR> -function GetVersionInfo'
ls -lA --time-style=long-iso /etc/polkit-1/rules.d/[0-9][0-9]-SAP[A-Z][A-Z0-9][A-Z0-9]-[0-9][0-9].rules
content of files in /etc/products.d/
(jsc#PED-12000, jsc#PED-12001)
* collect Netweaver version by
'sapcontrol -nr <NR> -function GetVersionInfo'
* collect 'operation_mode' setting by
'python getParameter.py --key=global.ini/system_replication/operation_mode --sapcontrol=1'
* some shellcheck cleanup
* adaption to the new used supportconfig.rc
- change requirements
remove the long deprecated supportconfig-plugin-resource and
supportconfig-plugin-tag and add instead 'Requires: supportutils'
(bsc#1235145)
- yast2-iscsi-client
-
- Try to load the iscsi_ibft module in ARM arch as it should be
available for getting the iBFT configuration (bsc#1233802).
- 4.6.6
- zypper
-
- lr: show the repositories keep-packages flag (bsc#1232458)
It is shown in the details view or by using -k,--keep-packages.
In addition libyzpp supports to enforce keeping downloaded
packages of all repos within a package cache by creating a
'.keep_packages' file there.
- version 1.14.81
- Try to refresh update repos first to have updated GPG keys on
the fly (bsc#1234752)
An update repo may contain a prolonged GPG key for the GA repo.
Refreshing the update repo first updates a trusted key on the fly
and avoids a 'key has expired' warning being issued when
refreshing the GA repo.
- Refresh: restore legacy behavior and suppress Exception
reporting as non-root (bsc#1235636)
- version 1.14.80