Commit Graph

35511 Commits

Author SHA1 Message Date
Michal Nowak
71da3f984e Drop Ubuntu 18.04 "bionic"
Ubuntu 18.04 LTS (Bionic Beaver) is EOL.

Move gcc:bionic:amd64-specific CFLAGS and EXTRA_CONFIGURE to
gcc:jammy:amd64.

(cherry picked from commit 6d100c4a32)
2023-10-23 12:00:50 +02:00
Michal Nowak
fd0edc6406 Merge branch '4152-reproducer-stack-exhaustion-9.16' into 'bind-9.16'
[9.16] Add test for CVE-2023-3341

See merge request isc-projects/bind9!8412
2023-10-20 15:19:48 +00:00
Michal Nowak
43947e7198 Add test for CVE-2023-3341
(cherry picked from commit 7d1834b250)
2023-10-20 16:26:49 +02:00
Mark Andrews
af80b17b48 Merge branch '4378-uv_sleep-wrapper-misses-parentheses-causing-unit-test-hang-bind-9.18-bind-9.16' into 'bind-9.16'
[9.16] Resolve "uv_sleep wrapper misses parentheses, causing unit test hang"

See merge request isc-projects/bind9!8406
2023-10-20 00:54:10 +00:00
Mark Andrews
a846180a01 Add parentheses around macro arguement 'msec'
The is needed to ensure that the multiplication is correctly done.
This was reported by Jinmei Tatuya.

(cherry picked from commit ebfbad29c1)
2023-10-20 11:26:04 +11:00
Michal Nowak
0d447bceae Merge branch 'mnowak/llvm-17-9.16' into 'bind-9.16'
[9.16] Update clang to version 17

See merge request isc-projects/bind9!8396
2023-10-17 16:40:39 +00:00
Michal Nowak
531c96b8ed Update the source code formatting using clang-format-17 2023-10-17 17:56:31 +02:00
Michal Nowak
12679a98b3 Update clang to version 17
(cherry picked from commit 625a4ffc7a)
2023-10-17 17:52:02 +02:00
Mark Andrews
67f9be9cd2 Merge branch '4365-update-dangerfile-py-to-know-about-cve-bind-9.16' into 'bind-9.16'
[9.16] Resolve "Update dangerfile.py to know about `:cve:`"

See merge request isc-projects/bind9!8392
2023-10-17 03:38:23 +00:00
Mark Andrews
d773b15561 Update dangerfile.py to know about ':cve:'
(cherry picked from commit dbc2167325)
2023-10-17 13:19:28 +11:00
Petr Špaček
24b6edfccf Merge branch 'pspacek/doc-and-build-tweaks-9.16' into 'bind-9.16'
[9.16] Describe BIND threat model

See merge request isc-projects/bind9!8380
2023-10-13 08:10:10 +00:00
Petr Špaček
3914b87eaf Describe BIND threat model
Basically all local data is considered trusted, and proper ACLs and
limits need to be explicitly configured. We are also free to let
protocol non-compliant servers burn in flames.

(cherry picked from commit fc907baa7f)
2023-10-13 10:01:09 +02:00
Michał Kępień
545fbdf953 Merge branch 'michal/install-pdf-dependencies-on-demand-in-gitlab-ci-9.16' into 'bind-9.16'
[9.16] Install PDF dependencies on demand in GitLab CI

See merge request isc-projects/bind9!8374
2023-10-12 13:14:39 +00:00
Michał Kępień
37bf6c7ed0 Install PDF dependencies on demand in GitLab CI
Building the PDF version of the BIND 9 ARM requires TeX Live to be
present on the build host.  A TeX Live installation takes up several
gigabytes of disk space.  This significantly increases the size of the
Debian Docker images that include that toolchain, even though only two
GitLab CI jobs actually use it.

Instead of including TeX Live in the Docker image itself, install the
former on demand in a new GitLab CI job that only tests building the PDF
version of the BIND 9 ARM.  Do the same for qpdf, a tool used for
checking the PDF output produced by TeX Live.  This enables the size of
the "base" Docker image (which a lot of GitLab CI jobs need to pull) to
remain within reasonable limits.  As downloading and installing TeX Live
takes a significant amount of time, only run the new job in scheduled
pipelines and for tags.  Adjust job dependencies so that the "release"
job continues to work.

(cherry picked from commit 29cba33d44)
2023-10-12 14:41:45 +02:00
Michał Kępień
9449c2f12c Merge branch 'michal/move-linux-stress-tests-to-autoscaled-instances-9.16' into 'bind-9.16'
[9.16] Move Linux "stress" tests to autoscaled instances

See merge request isc-projects/bind9!8363
2023-10-06 11:13:26 +00:00
Michał Kępień
928b7621cf Move Linux "stress" tests to autoscaled instances
The autoscaling GitLab CI runners currently used for most GitLab CI jobs
spin up AWS EC2 instances that are at least as powerful as the dedicated
instances used for running "stress" tests.  Move all Linux-based
"stress" tests to autoscaling GitLab CI runners to enable deprovisioning
Linux AWS instances reserved for running "stress" tests.  Leave FreeBSD
"stress" tests intact as there is currently no support for autoscaling
BSD instances.

(cherry picked from commit 12ea994680)
2023-10-06 13:12:16 +02:00
Michal Nowak
4af611b946 Merge branch 'mnowak/drop-autoreconf-job-from-ci' into 'bind-9.16'
Drop autoreconf CI job

See merge request isc-projects/bind9!8232
2023-10-04 16:54:06 +00:00
Michal Nowak
3869085f95 Drop autoreconf CI job
In BIND 9.16, we don't need to run autoreconf, because ./configure et
al. are part of the source tree. It's nothing more than a check to see
if the build configuration can be built.
2023-10-04 18:01:41 +02:00
Petr Špaček
f4ab2328f4 Merge branch 'pspacek/fix-no-case-compression-docs-9.16' into 'bind-9.16'
[9.16] Fix no-case-compress description in the ARM

See merge request isc-projects/bind9!8356
2023-10-03 13:10:37 +00:00
Petr Špaček
c6571c36b8 Fix no-case-compress description in the ARM
We confused ourselves, it seems.

(cherry picked from commit 6451462a93)
2023-10-03 15:10:04 +02:00
Mark Andrews
0cf801f34d Merge branch '4316-dynamic-update-refused-shortly-after-zone-was-thawed-bind-9.16' into 'bind-9.16'
[9.16] Resolve "dynamic update refused shortly after zone was thawed"

See merge request isc-projects/bind9!8337
2023-09-27 00:41:41 +00:00
Mark Andrews
652847b06e Document that reloading happens asynchronously
(cherry picked from commit e33dbd0cbd)
2023-09-27 10:14:35 +10:00
Mark Andrews
0e55d94653 Wait for the test zone to finish re-loading
'rndc thaw' initiates asynchrous loading of all the zones
similar to 'rndc load'.  Wait for the test zone's load to
complete before testing that it is updatable again.

(cherry picked from commit 5b3238aa85)
2023-09-26 14:12:36 +10:00
Ondřej Surý
5d3a90b266 Merge branch '4327-minor-warning-about-ctype-h-function-9.16' into 'bind-9.16'
[9.16] Add semantic patch to explicitly cast chars to unsigned for ctype.h

See merge request isc-projects/bind9!8331
2023-09-22 15:42:01 +00:00
Ondřej Surý
aa5b5e41a6 Add CHANGES note for [GL #4327]
(cherry picked from commit 0e49a8422f)
2023-09-22 17:10:25 +02:00
Ondřej Surý
b354e10793 Explicitly cast chars to unsigned chars for <ctype.h> functions
Apply the semantic patch to catch all the places where we pass 'char' to
the <ctype.h> family of functions (isalpha() and friends, toupper(),
tolower()).

(cherry picked from commit 29caa6d1f0)
2023-09-22 17:10:25 +02:00
Ondřej Surý
c2e835989f Add semantic patch to explicitly cast chars to unsigned for ctype.h
Add a semantic patch to catch all the places where we pass 'char' to the
<ctype.h> family of functions (isalpha() and friends, toupper(),
tolower()).  While it generally works because the way how these
functions are constructed in the libc, it's safer to do the explicit
cast.

(cherry picked from commit 5ec65ab5d0)
2023-09-22 17:02:39 +02:00
Michał Kępień
100890b172 Merge branch 'mnowak/add-cve-ref-role-9.16' into 'bind-9.16'
[9.16] Add a Sphinx role for linking CVEs to the ISC Knowledgebase

See merge request isc-projects/bind9!8327
2023-09-21 12:46:33 +00:00
Michal Nowak
1e75f3ae33 Add a Sphinx role for linking CVEs to the ISC Knowledgebase
The new :cve: Sphinx role takes a CVE number as an argument and creates
a hyperlink to the relevant ISC Knowledgebase document that might have
more up-to-date or verbose information than the relevant release note.
This makes reaching ISC Knowledgebase pages directly from the release
notes easier.

Make all CVE references in the release notes use the new Sphinx role.

(cherry picked from commit 41b857e567)
2023-09-21 14:38:28 +02:00
Michał Kępień
b426acd3c5 Merge branch 'michal/update-sphinx-and-sphinx_rtd_theme-9.16' into 'bind-9.16'
[9.16] Update Sphinx and sphinx_rtd_theme

See merge request isc-projects/bind9!8324
2023-09-20 15:27:24 +00:00
Michał Kępień
e31e1d7639 Update Sphinx and sphinx_rtd_theme
Update Sphinx-related Python packages to their current versions pulled
in by "pip install sphinx-rtd-theme" run in a fresh virtual environment.

(cherry picked from commit 2f879cdec3)
2023-09-20 17:25:17 +02:00
Michał Kępień
2be533f469 Merge tag 'v9.16.44' into bind-9.16 2023-09-20 16:55:10 +02:00
Mark Andrews
4057a7c8c4 Merge branch '4314-dns_ncache_current-fails-to-set-covered-correctly-bind-9.16' into 'bind-9.16'
[9.16] Resolve "dns_ncache_current fails to set covered correctly"

See merge request isc-projects/bind9!8308
2023-09-18 07:14:07 +00:00
Mark Andrews
dfd0a2c4f6 Add a CHANGES note for [GL #4314]
(cherry picked from commit 80298ade33)
2023-09-18 16:43:32 +10:00
Mark Andrews
50bdf976c7 Check RRSIG covered type in negative cache entry
The covered type previously displayed as TYPE0 when it should
have reflected the records that was actually covered.

(cherry picked from commit 8ce359652a)
2023-09-18 16:40:55 +10:00
Mark Andrews
426b575680 Correctly set the value of covered in dns_ncache_current
Fix the type and rdclass being passed to dns_rdata_tostruct so
that rrsig.covered is correctly set.

(cherry picked from commit 779980710c)
2023-09-18 16:40:54 +10:00
Arаm Sаrgsyаn
38b4648f6b Merge branch 'aram/danger-ignore-length-warn-for-fixups-9.16' into 'bind-9.16'
[9.16] Don't warn about subject line length for the fixup commits (CI)

See merge request isc-projects/bind9!8301
2023-09-14 11:37:18 +00:00
Aram Sargsyan
b17948622b Don't warn about subject line length for the fixup commits
The fixup commits' subject line has a prefix which has its own
length, so warning about the exceeding length is not accurate.
Given that the fixup commits can not be merged, because they
cause a danger failure, it's safe to ignore the length check
for them.

(cherry picked from commit 3db2beef9f)
2023-09-14 11:00:10 +00:00
Michal Nowak
b14f294f32 Merge branch 'mnowak/set-up-version-and-release-notes-for-bind-9.16.45' into 'bind-9.16'
Set up version and release notes for BIND 9.16.45

See merge request isc-projects/bind9!8294
2023-09-12 07:39:52 +00:00
Michal Nowak
7d836f522c Set up release notes for BIND 9.16.45 2023-09-12 09:38:46 +02:00
Michal Nowak
2cedf0a486 Update BIND version to 9.16.45-dev 2023-09-12 09:38:45 +02:00
Michal Nowak
cd2b4602b0 prep 9.16.44 v9.16.44 2023-09-08 14:40:48 +02:00
Michal Nowak
70c62c2f7e Merge branch 'mnowak/prepare-documentation-for-bind-9.16.44' into 'security-bind-9.16'
Prepare release notes for BIND 9.16.44

See merge request isc-private/bind9!580
2023-09-08 12:35:06 +00:00
Michal Nowak
22186ff9f6 Prepare release notes for BIND 9.16.44 2023-09-08 14:15:36 +02:00
Michal Nowak
eca2f10f35 Merge branch '4152-confidential-limit-isccc_cc_fromwire-recursion-depth-bind-9.16' into 'security-bind-9.16'
[9.16] [CVE-2023-3341] Stack Exhaustion in control channel

See merge request isc-private/bind9!570
2023-09-08 12:11:41 +00:00
Mark Andrews
003be70796 Add release note for [GL #4152] 2023-09-07 19:54:20 +02:00
Mark Andrews
5f987f4568 Add CHANGES note for [GL #4152] 2023-09-07 19:54:20 +02:00
Mark Andrews
c4fac5ca98 Limit isccc_cc_fromwire recursion depth
Named and rndc do not need a lot of recursion so the depth is
set to 10.
2023-09-05 20:29:27 +02:00
Matthijs Mekking
4537578e78 Merge branch '4266-document-dnssec-policy-lifetime-v9_16' into 'bind-9.16'
[9.16] Clarify BIND 9 time formats

See merge request isc-projects/bind9!8265
2023-09-01 10:12:49 +00:00
Matthijs Mekking
77b0b387bf Add CHANGES entry for #4266
(cherry picked from commit fd3d58d512)
2023-09-01 11:16:13 +02:00