Merge branch 'michal/post-release-tweaks' into 'main'

Miscellaneous post-release tweaks See merge request isc-projects/bind9!8738
2025-08-30 05:57:52 +00:00 · 2024-02-14 16:17:02 +00:00 · 2024-02-14 16:17:02 +00:00 · cc65a14d0e
commit cc65a14d0e
parent 8610799317 dedc5b9afb
2 changed files with 11 additions and 3 deletions
--- a/10
+++ b/10
@ -1,10 +1,10 @@
 6345.	[bug]		Added missing dns_rdataset_disassociate calls in
 			validator.c:findnsec3proofs. [GL #4571]

-6344.	[bug]		Fix case insensitive setting for isc_ht hashtable.
-			[GL #4568]
+6344.	[placeholder]

-6343.	[placeholder]
+6343.	[bug]		Fix case insensitive setting for isc_ht hashtable.
+			[GL #4568]

 6342.	[placeholder]

@ -85,6 +85,10 @@
 			condition due to DNS validation taking a long time.
 			(CVE-2023-50387) [GL #4424]

+			The same code change also addresses another problem:
+			preparing NSEC3 closest encloser proofs could exhaust
+			available CPU resources. (CVE-2023-50868) [GL #4459]
+
 6321.	[security]	Change 6315 inadvertently introduced regressions that
 			could cause named to crash. [GL #4234]

--- a/doc/notes/notes-9.19.21.rst
+++ b/doc/notes/notes-9.19.21.rst
@ -24,6 +24,10 @@ Security Fixes
  Applied Cybersecurity ATHENE for bringing this vulnerability to our
  attention. :gl:`#4424`

+- Preparing an NSEC3 closest encloser proof could cause excessive CPU
+  load, leading to a denial-of-service condition. This has been fixed.
+  :cve:`2023-50868` :gl:`#4459`
+
 - Parsing DNS messages with many different names could cause excessive
  CPU load. This has been fixed. :cve:`2023-4408`