Ondřej Surý 9bdace3fa3 Fix GSS-API context leak in TKEY negotiation ... Reject multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) in dst_gssapi_acceptctx(). Each call to gss_accept_sec_context() allocates a context inside the GSS library; without this fix, the context handle was passed back to process_gsstkey() which did not store it persistently, leaking it on every incomplete negotiation. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries with GSSAPI tokens, each leaking one GSS context. The leaked memory is allocated by the GSS library via malloc(), bypassing BIND's memory accounting. In practice, Kerberos/SPNEGO (the only mechanism used with BIND) completes in a single round, so rejecting continuation does not affect real-world deployments. See RFC 3645 Section 4.1.3. (cherry picked from commit 3d8e0d068f08694282c5ecd3bd6c332de6c75485)		2026-05-07 13:09:18 +02:00
..
dns	Fix GSS-API context leak in TKEY negotiation	2026-05-07 13:09:18 +02:00
isc	Remove OpenSSL memory tracking support from the tls.c module	2026-05-06 13:57:52 +00:00
isccc	Remove redundant parentheses from the return statement	2024-11-19 14:26:52 +01:00
isccfg	Fix KASP key leaks on keystore lookup failure	2026-03-16 11:05:03 +01:00
ns	Apply XFR-out quota after ACL is checked	2026-05-07 13:09:18 +02:00
.gitignore	The isc/platform.h header has been completely removed	2021-07-06 05:33:48 +00:00
Makefile.am	Move irs_resconf into libdns and remove libirs	2023-02-24 09:38:59 +00:00