[kirkstone,2/3] bind: update to 9.18.19

From: Lee Chee Yang <chee.yang.lee@intel.com>

Notes for BIND 9.18.19
Security Fixes
Previously, sending a specially crafted message over the control channel
could cause the packet-parsing code to run out of available stack
memory, causing named to terminate unexpectedly. This has been fixed.
(CVE-2023-3341)

ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing
this vulnerability to our attention. [GL #4152]

A flaw in the networking code handling DNS-over-TLS queries could cause
named to terminate unexpectedly due to an assertion failure under
significant DNS-over-TLS query load. This has been fixed.
(CVE-2023-4236)

ISC would like to thank Robert Story from USC/ISI Root Server Operations
for bringing this vulnerability to our attention. [GL #4242]

Removed Features
The dnssec-must-be-secure option has been deprecated and will be removed
in a future release. [GL #4263]

Feature Changes
If the server command is specified, nsupdate now honors the nsupdate -v
option for SOA queries by sending both the UPDATE request and the
initial query over TCP. [GL #1181]

Bug Fixes
The value of the If-Modified-Since header in the statistics channel was
not being correctly validated for its length, potentially allowing an
authorized user to trigger a buffer overflow. Ensuring the statistics
channel is configured correctly to grant access exclusively to
authorized users is essential (see the statistics-channels block
definition and usage section). [GL #4124]

This issue was reported independently by Eric Sesterhenn of X41 D-Sec
GmbH and Cameron Whitehead.

The Content-Length header in the statistics channel was lacking proper
bounds checking. A negative or excessively large value could potentially
trigger an integer overflow and result in an assertion failure. [GL

This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.

Several memory leaks caused by not clearing the OpenSSL error stack were
fixed. [GL #4159]

This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.

The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs
UPDATE policies accidentally caused named to return SERVFAIL responses
to deletion requests for non-existent PTR and SRV records. This has been
fixed. [GL #4280]

The stale-refresh-time feature was mistakenly disabled when the server
cache was flushed by rndc flush. This has been fixed. [GL #4278]

BIND’s memory consumption has been improved by implementing dedicated
jemalloc memory arenas for sending buffers. This optimization ensures
that memory usage is more efficient and better manages the return of
memory pages to the operating system. [GL #4038]

Previously, partial writes in the TLS DNS code were not accounted for
correctly, which could have led to DNS message corruption. This has been
fixed. [GL #4255]

Known Issues
There are no new known issues with this release. See above for a list of
all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.18
Feature Changes
When a primary server for a zone responds to an SOA query, but the
subsequent TCP connection required to transfer the zone is refused, that
server is marked as temporarily unreachable. This now also happens if
the TCP connection attempt times out, preventing too many zones from
queuing up on an unreachable server and allowing the refresh process to
move on to the next configured primary more quickly. [GL #4215]

The dialup and heartbeat-interval options have been deprecated and will
be removed in a future BIND 9 release. [GL #3700]

Bug Fixes
Processing already-queued queries received over TCP could cause an
assertion failure, when the server was reconfigured at the same time or
the cache was being flushed. This has been fixed. [GL #4200]

Setting dnssec-policy to insecure prevented zones containing resource
records with a TTL value larger than 86400 seconds (1 day) from being
loaded. This has been fixed by ignoring the TTL values in the zone and
using a value of 604800 seconds (1 week) as the maximum zone TTL in key
rollover timing calculations. [GL #4032]

Known Issues
There are no new known issues with this release. See above for a list of
all known issues affecting this BIND 9 branch.

Link to release notes:
https://bind9.readthedocs.io/en/v9.18.19/notes.html#notes-for-bind-9-18-19

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
 .../0001-avoid-start-failure-with-bind-user.patch               | 0
 .../0001-named-lwresd-V-and-start-log-hide-build-options.patch  | 0
 .../bind-ensure-searching-for-json-headers-searches-sysr.patch  | 0
 meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/bind9     | 0
 .../recipes-connectivity/bind/{bind-9.18.17 => bind}/conf.patch | 0
 .../bind/{bind-9.18.17 => bind}/generate-rndc-key.sh            | 0
 .../init.d-add-support-for-read-only-rootfs.patch               | 0
 .../{bind-9.18.17 => bind}/make-etc-initd-bind-stop-work.patch  | 0
 .../bind/{bind-9.18.17 => bind}/named.service                   | 0
 .../bind/{bind_9.18.17.bb => bind_9.18.19.bb}                   | 2 +-
 10 files changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/0001-avoid-start-failure-with-bind-user.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/bind9 (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/conf.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/generate-rndc-key.sh (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/init.d-add-support-for-read-only-rootfs.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/make-etc-initd-bind-stop-work.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.17 => bind}/named.service (100%)
 rename meta/recipes-connectivity/bind/{bind_9.18.17.bb => bind_9.18.19.bb} (97%)