- bind
-
- Update named.root to latest version
- Update to release 9.18.33
Security Fixes:
* DNS-over-HTTPS flooding fixes.
Fix DNS-over-HTTPS implementation issues that arise under heavy
query load. Optimize resource usage for named instances that
accept queries over DNS-over-HTTPS.
Previously, named processed all incoming HTTP/2 data at once,
which could overwhelm the server, especially when dealing with
clients that sent requests but did not wait for responses. That
has been fixed. Now, named handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many
requests at once.
In addition, named now evaluates excessive streams opened by
clients that include no DNS data, which is considered
“flooding.” It logs these clients and drops connections from
them.
In some cases, named could leave DNS-over-HTTPS connections in
the CLOSE_WAIT state indefinitely. That has also been fixed.
(CVE-2024-12705)
[bsc#1236597]
* Limit additional section processing for large RDATA sets.
When answering queries, don’t add data to the additional
section if the answer has more than 13 names in the RDATA. This
limits the number of lookups into the database(s) during a
single client query, reducing the query-processing load.
(CVE-2024-11187)
[bsc#1236596]
New Features:
* Add a new option to configure the maximum number of outgoing
queries per client request.
* The configuration option max-query-count sets how many outgoing
queries per client request are allowed. The existing
max-recursion-queries value is the number of permissible
queries for a single name and is reset on every CNAME
redirection. This new option is a global limit on the client
request. The default is 200.
* The default for max-recursion-queries is changed from 32 to 50.
This allows named to send a few more queries while looking up a
single name.
* Print the full path of the working directory in startup log
messages.
named now prints its initial working directory during startup,
and the changed working directory when loading or reloading its
configuration file, if it has a valid directory option defined.
* Added WALLET type.
Add the new record type WALLET (262). This provides a mapping
from a domain name to a cryptographic currency wallet. Multiple
mappings can exist if multiple records exist.
* Update built-in bind.keys file with the new 2025 IANA root key.
* Add an initial-ds entry to bind.keys for the new root key, ID
38696, which is scheduled for publication in January 2025.
Feature Changes:
* Tighten max-recursion-queries and add max-query-restarts
configuration statement.
There were cases when the max-recursion-queries quota was
ineffective. It was possible to craft zones that would cause a
resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by
correcting errors in the implementation of
max-recursion-queries and by reducing the default value from
100 to 32.
In addition, a new max-query-restarts configuration statement
has been added, which limits the number of times a recursive
server will follow CNAME or DNAME records before terminating
resolution. This was previously a hard-coded limit of 16 but is
now configurable with a default value of 11.
* Raise the log level of priming failures.
When a priming query is complete, it was previously logged at
level DEBUG(1), regardless of success or failure. It is now
logged to NOTICE in the case of failure.
* Add a compatibility shim for older libuv versions (< 1.19.0)
The function uv_stream_get_write_queue_size() is supported only
in relatively new versions of libuv (1.19.0 or higher). Provide
a compatibility shim for this function so BIND 9 can be built
in environments with older libuv versions.
* Improve performance for queries that require an NSEC3 wildcard
proof.
Rather than starting from the longest matching part of the
requested name, lookup the shortest partial match. Most of the
time this will be the actual closest encloser.
* Follow the number of CPUs set by taskset/cpuset.
Administrators may wish to constrain the set of cores that
named runs on via the taskset, cpuset, or numactl programs (or
equivalents on other OSes).
If the admin has used taskset, named now automatically uses the
given number of CPUs rather than the system-wide count.
* Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
This change allows fallback from an IXFR failure to AXFR when
the reason is DNS_R_TOOMANYRECORDS.
* Emit more helpful log messages for exceeding
max-records-per-type.
* The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log
includes the owner name and type, corresponding zone name, and
the limit value. It will be emitted on loading a zone file,
inbound zone transfer (both AXFR and IXFR), handling a DDNS
update, or updating a cache DB. It’s especially helpful in the
case of zone transfer, since the secondary side doesn’t have
direct access to the offending zone data.
* It could also be used for max-types-per-name, but this change
doesn’t implement it yet as it’s much less likely to happen in
practice.
* Harden key management when key files have become unavailable.
* Prior to doing key management, BIND 9 will check if the key
files on disk match the expected keys. If key files for
previously observed keys have become unavailable, this will
prevent the internal key manager from running.
Removed Features:
* Move contributed DLZ modules into a separate repository. DLZ
modules should not be used except in testing. The DLZ modules
were not maintained, the DLZ interface itself is going to be
scheduled for removal, and the DLZ interface is blocking. Any
module that blocks the query to the database blocks the whole
server. The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
Bug Fixes:
For a complete list of bug fixes, see:
* Bind Release Notes
https://bind9.readthedocs.io/en/v9.18.33/notes.html
* The changelog in the doc rpm at
/usr/share/doc/packages/bind/arm/html/changelog.html
- crypto-policies
-
- krb5: disallow aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
kerberos encryption types from RFC3961 in FIPS mode, as its key
derivation function is not certified; (jsc#PED-12018);
- Update AD-SUPPORT and add AD-SUPPORT-LEGACY subpolicies; (jsc#PED-12018);
The AD-SUPPORT subpolicy will enable the aes256-cts-hmac-sha1-96
and aes128-cts-hmac-sha1-96 encryption types necessary for AD.
The Kerberos libraries will tell OpenSSL provider to bypass FIPS
restrictions when loading the KRB5KDF module.
The AD-SUPPORT-LEGACY will allow the use of RC4 encryption types
in environments where either accounts or trusted domains objects
were not yet migrated to AES.
- Add patch 0008-policies-modules-update-AD-SUPPORT-add-AD-SUP.patch
- google-guest-configs
-
- Add ggc-no-dup-metasrv-entry.patch
+ Follow up to (bsc#1234289, bsc#1234293). Avoid duplicate entries for
the metadata server in /etc/hosts
- Update to version 20241205.00 (bsc#1234254, bsc#1234255)
* Update google_set_multiqueue to configure
vCPU ranges based on VM platform (#90)
- from version 20241204.00
* Restore google_set_multiqueue changes for A3Ultra (#93)
* Depend on networkd-dispatcher in Ubuntu (#94)
- Include components to set hostname and /etc/hosts entries (bsc#1234289, bsc#1234293)
* Add sysconfig and sysconfig-network to BuildRequires
* Install google_set_hostname into %{_bindir}
* Install google_up.sh into %{_sysconfdir}/sysconfig/network/scripts/
* Add code to add and remove POST_UP_SCRIPT="compat:suse:google_up.sh"
to /etc/sysconfig/network/ifcfg-eth0 in %post and %postun sections
- google-osconfig-agent
-
- Update to version 20250115.01 (bsc#1236406, bsc#1236407)
* Bump cloud.google.com/go/osconfig from 1.14.2 to 1.14.3 (#772)
- from version 20250115.00
* Bump cloud.google.com/go/auth from 0.10.2 to 0.14.0 (#767)
* Bump go.opentelemetry.io/otel from 1.32.0 to 1.33.0 (#771)
* Bump google.golang.org/protobuf from 1.35.1 to 1.36.2 (#763)
- from version 20250114.00
* Bump golang.org/x/time from 0.8.0 to 0.9.0 (#770)
- from version 20250113.01
* Bump cloud.google.com/go/auth/oauth2adapt from 0.2.5 to 0.2.7 (#766)
- from version 20250113.00
* Bump golang.org/x/net from 0.31.0 to 0.34.0 (#769)
- from version 20250110.00
* Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in the go_modules group (#760)
* Bump cloud.google.com/go/longrunning from 0.6.2 to 0.6.3 (#744)
- from version 20241218.00
* Scanners fixes (#720)
* Bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 (#736)
* Bump go.opentelemetry.io/contrib/detectors/gcp from 1.29.0 to 1.32.0 (#730)
* Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#738)
* Bump golang.org/x/net from 0.30.0 to 0.31.0 (#731)
- from version 20241118.01
* Bump github.com/googleapis/gax-go/v2 from 2.13.0 to 2.14.0 (#737)
- from version 20241118.00
* move example to appropriate directory (#740)
- from version 20241115.00
* Replace sles-15-sp3-sap old deprecated image in e2e tests (#739)
* Bump golang.org/x/time from 0.7.0 to 0.8.0 (#734)
- from version 20241114.03
* Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp (#735)
- from version 20241114.02
* Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#729)
- from version 20241114.01
* Remove SLES-15-SP2-SAP from e2e tests and add the new SLES-15-SP6 (#733)
* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#728)
* Bump go.opentelemetry.io/otel/sdk/metric from 1.30.0 to 1.32.0 (#727)
- from version 20241114.00
* Add example to run exec script from the gcs bucket (#732)
* Bump cel.dev/expr from 0.16.1 to 0.18.0 (#723)
- from version 20241112.00
* Bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 (#722)
* Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric (#721)
* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#725)
* Bump github.com/golang/glog from 1.2.2 to 1.2.3 (#715)
* Bump google.golang.org/api from 0.203.0 to 0.205.0 (#716)
- from version 20241107.01
* Bump github.com/envoyproxy/go-control-plane from 0.13.0 to 0.13.1 (#717)
* Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping (#718)
* Bump cloud.google.com/go/auth from 0.10.0 to 0.10.1 (#719)
- from version 20241107.00
* Bump cloud.google.com/go/logging from 1.11.0 to 1.12.0 (#709)
* Bump cloud.google.com/go/iam from 1.2.1 to 1.2.2 (#710)
* Bump cloud.google.com/go/storage from 1.43.0 to 1.46.0 (#713)
* Bump cloud.google.com/go/osconfig from 1.14.1 to 1.14.2 (#708)
* Bump cloud.google.com/go/auth/oauth2adapt from 0.2.4 to 0.2.5 (#712)
- from version 20241106.00
* Update OWNERS (#714)
- from version 20241029.01
* remove toolchain override (#706)
* Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#701)
- from version 20241029.00
* Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#702)
- from version 20241028.00
* Bump cloud.google.com/go/longrunning from 0.6.0 to 0.6.2 (#705)
- from version 20241017.00
* Add a new CloudBuild trigger config-file for auto updating the
presubmit test container image on every new commit (#704)
- from version 20241004.00
* Add new packagebuild presubmit that will use cloud-build (#694)
- from version 20240927.00
* Third batch of dependencies upgrade (#690)
- Bump the golang compiler version to 1.22.4 (bsc#1225974, CVE-2024-24790)
- krb5
-
- Prevent overflow when calculating ulog block size. An authenticated
attacker can cause kadmind to write beyond the end of the mapped
region for the iprop log file, likely causing a process crash;
(CVE-2025-24528); (bsc#1236619).
- Add patch 0013-Prevent-overflow-when-calculating-ulog-block-size.patch
- Add crypto-policies support; (jsc#PED-12018)
* The default krb5.conf has been updated to include config
snippets in the krb5.conf.d directory, where crypto-policies
drops its.
- Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); Add patch
0012-Allow-KRB5KDF-in-FIPS-mode.patch
* This key derivation function is used by AES256-CTS-HMAC-SHA1-96
and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active
directory. If these encryption types are allowed or not in
FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy.
- curl
-
- Security fix: [bsc#1236590, CVE-2025-0725]
* content_encoding: drop support for zlib before 1.2.0.4
* content_encoding: put the decomp buffers into the writer structs
* Add curl-CVE-2025-0725.patch
- Security fix: [bsc#1236588, CVE-2025-0167]
* netrc: 'default' with no credentials is not a match
* Add curl-CVE-2025-0167.patch
- openssl-3
-
- Security fix: [bsc#1236136, CVE-2024-13176]
* Fix timing side-channel in ECDSA signature computation
* Add openssl-CVE-2024-13176.patch
- libxml2
-
- security update
- added patches
fix CVE-2022-49043 [bsc#1236460], use-after-free in xmlXIncludeAddNode
+ libxml2-CVE-2022-49043.patch
- libzypp
-
- Create '.keep_packages' in the package cache dir to enforce
keeping downloaded packages of all repos cahed there (bsc#1232458)
- version 17.35.19 (35)
- Fix missing UID checks in repomanager workflow (fixes #603)
- version 17.35.18 (35)
- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28)
- Fix 'zypper ps' when running in incus container (bsc#1229106)
Should apply to lxc and lxd containers as well.
- Re-enable 'rpm --runposttrans' usage for chrooted systems
(bsc#1216091)
- version 17.35.17 (35)
- permissions
-
- Update to version 20240826:
* permissions: remove legacy and nonsensical entries
* permissions: remove traceroute entry
* permissions: remove outdated sudo directories
* permissions: remove legacy RPM directory entries
* permissions: remove some static /var/spool/* dirs
* permissions: remove unnecessary static dirs and devices (bsc#1235873)
- _service: switch to "manual"
- python-instance-billing-flavor-check
-
- Version 0.1.2 (bsc#1234444)
+ Improve detection of IPv4 and IPv6 network setup and use appropriate
IP version for access the update servers
+ Improve reliability of flavor detection. Try an update server multiple
times to get an answer, if we hit timeouts return the value flavor
value from a cahce file.
- Version 0.1.1 (bsc#1235991, bsc#1235992)
+ Add time stamp to log
- From version 0.1.0
+ Doc improvements clarifying exit staus codes
- wget
-
- If wget for an http URL is redirected to a different site (hostname
parts of URLs differ), then any "Authenticate" and "Cookie" header
entries are discarded.
[bsc#1185551, wget-do-not-propagate-credentials.patch,
bsc#1230795, CVE-2021-31879]
- zypper
-
n/a