- Update to version 9.10.1-P1
- A flaw in delegation handling could be exploited to put named into an
infinite loop. This has been addressed by placing limits on the number of
levels of recursion named will allow (default 7), and the number of
iterative queries that it will send (default 50) before terminating a
recursive query (CVE-2014-8500); (bnc#908994).
The recursion depth limit is configured via the "max-recursion-depth"
option, and the query limit via the "max-recursion-queries" option.
[RT #37580]
- When geoip-directory was reconfigured during named run-time, the
previously loaded GeoIP data could remain, potentially causing wrong ACLs
to be used or wrong results to be served based on geolocation
(CVE-2014-8680). [RT #37720]; (bnc#908995).
- Lookups in GeoIP databases that were not loaded could cause an assertion
failure (CVE-2014-8680). [RT #37679]; (bnc#908995).
- The caching of GeoIP lookups did not always handle address families
correctly, potentially resulting in an assertion failure (CVE-2014-8680).
[RT #37672]; (bnc#908995).
OBS-URL: https://build.opensuse.org/request/show/264596
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=156
Merge request 264305:
- Convert some hard PreReq to leaner Requires(pre).
- Typograhical and orthographic fixes to description texts.
Changes already present with request 264243:
- Fix bashisms in the createNamedConfInclude script.
- Post scripts: remove '-e' option of 'echo' that may be unsupported
in some POSIX-compliant shells.
- Add openssl engines to the lwresd chroot.
- Add /etc/lwresd.conf with attribute ghost to the list of files.
- Add /run/lwresd to the list of files of the lwresd package.
- Shift /run/named from the chroot sub to the main bind package.
- Drop /proc from the chroot as multi CPU systems work fine even without it.
OBS-URL: https://build.opensuse.org/request/show/264325
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=155
- Add a versioned dependency when obsoleting packages.
- Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293).
- Fix gssapi_krb configure time header detection.
- Update root zone (dated Nov 5, 2014).
- Update to version 9.10.1
- This release addresses the security flaws described in CVE-2014-3214 and
CVE-2014-3859.
- Update to version 9.10.0
- Update to version 9.9.6
Cf the bind changes file for all the details of 9.9.6 till 9.10.1.
- Remove merged rpz2+rl-9.9.5.patch and obsoleted rpz2+rl-9.9.5.patch
- Update baselibs.conf (added libirs and library interface version updates).
OBS-URL: https://build.opensuse.org/request/show/264083
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=153
- Package dnssec-checkds and dnssec-coverage binaries and man pages only on
post-11.1 systems.
- Update to version 9.9.5P1
Various bugfixes and some feature fixes. (see CHANGES files)
Security and maintenance issues:
- [bug] Don't call qsort with a null pointer. [RT #35968]
- [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968]
- [port] linux: libcap support: declare curval at start of block. [RT #35387]
- Update to version 9.9.5
Various bugfixes and some feature fixes. (see CHANGES files)
- Updated to current rpz patch from·http://ss.vix.su/~vjs/rrlrpz.html
- rpz2-9.9.4.patch
+ rpz2+rl-9.9.5.patch
OBS-URL: https://build.opensuse.org/request/show/243329
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=144
* Fixes named crash when handling malformed NSEC3-signed zones
(CVE-2014-0591, bnc#858639)
* Obsoletes workaround-compile-problem.diff
- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now
supported upstream (--enable-rrl).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=134
Various bugfixes and some feature fixes. (see CHANGES files)
Security and maintenance issues:
- [security] Caching data from an incompletely signed zone could
trigger an assertion failure in resolver.c [RT #33690]
- [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
- [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
- [bug] Fixed several Coverity warnings.
Note: This change includes a fix for a bug that
was subsequently determined to be an exploitable
security vulnerability, CVE-2012-5688: named could
die on specific queries with dns64 enabled.
[RT #30996]
- [maint] Added AAAA for D.ROOT-SERVERS.NET.
- [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=115
https://kb.isc.org/article/AA-00828
* Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result of
specific queries that are received. (Note that this fix is a subset
of a series of updates that will be included in full in BIND 9.8.5
and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=107
https://kb.isc.org/article/AA-00798
Security:
* A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad
cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of the
named process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone
to determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
it will not be built or installed on systems that do not have a python
interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=100
