Security Fixes
* A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #39795]
* On servers configured to perform DNSSEC validation, an assertion failure
could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone load was
already in progress; this could trigger a crash in zt.c. [RT #37573]
* Several bugs have been fixed in the RPZ implementation:
+ Policy zones that did not specifically require recursion could be treated
as if they did; consequently, setting qname-wait-recurse no; was
sometimes ineffective. This has been corrected. In most configurations,
behavioral changes due to this fix will not be noticeable. [RT #39229]
+ The server could crash if policy zones were updated (e.g. via
rndc reload or an incoming zone transfer) while RPZ processing
was still ongoing for an active query. [RT #39415]
+ On servers with one or more policy zones configured as slaves, if a
policy zone updated during regular operation (rather than at startup)
using a full zone reload, such as via AXFR, a bug could allow the RPZ
summary data to fall out of sync, potentially leading to an assertion
failure in rpz.c when further incremental updates were made to the zone,
such as via IXFR. [RT #39567]
+ The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an unexpected
action could be taken. This has been corrected. [RT #39481]
+ The server could crash if a reload of an RPZ zone was initiated while
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=174
- An uninitialized value in validator.c could result in an assertion failure.
(CVE-2015-4620) [RT #39795]
- Update to version 9.10.2-P1
- Include client-ip rules when logging the number of RPZ rules of each type.
[RT #39670]
- Addressed further problems with reloading RPZ zones. [RT #39649]
- Addressed a regression introduced in change #4121. [RT #39611]
- The server could match a shorter prefix than what was available in
CLIENT-IP policy triggers, and so, an unexpected action could be taken.
This has been corrected. [RT #39481]
- On servers with one or more policy zones configured as slaves, if a policy
zone updated during regular operation (rather than at startup) using a full
zone reload, such as via AXFR, a bug could allow the RPZ summary data to
fall out of sync, potentially leading to an assertion failure in rpz.c when
further incremental updates were made to the zone, such as via IXFR.
[RT #39567]
- A bug in RPZ could cause the server to crash if policy zones were updated
while recursion was pending for RPZ processing of an active query.
[RT #39415]
- Fix a bug in RPZ that could cause some policy zones that did not
specifically require recursion to be treated as if they did; consequently,
setting qname-wait-recurse no; was sometimes ineffective. [RT #39229]
- Asynchronous zone loads were not handled correctly when the zone load was
already in progress; this could trigger a crash in zt.c. [RT #37573]
- Fix an out-of-bounds read in RPZ code. If the read succeeded, it doesn't
result in a bug during operation. If the read failed, named could segfault.
[RT #38559]
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=172
Fix inappropriate use of /var/lib/named for locating dynamic-DB plugins.
Dynamic-DB plugins are now loaded from %{_libexecdir}/bind, consistent with openSUSE packaging guideline.
Install additional header files which are helpful to the development of dynamic-DB plugins.
Please note that - the so-far only implementation of dyanmic-DB plugin does not support running in chroot environment very well, there is great performance impact in doing so.
OBS-URL: https://build.opensuse.org/request/show/311393
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=169
- Handle timeout in legacy system test. [RT #38573]
- dns_rdata_freestruct could be called on a uninitialised structure when
handling a error. [RT #38568]
- Addressed valgrind warnings. [RT #38549]
- UDP dispatches could use the wrong pseudorandom
number generator context. [RT #38578]
- Fixed several small bugs in automatic trust anchor management, including a
memory leak and a possible loss of key state information. [RT #38458]
- 'dnssec-dsfromkey -T 0' failed to add ttl field. [RT #38565]
- Revoking a managed trust anchor and supplying an untrusted replacement
could cause named to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
- Fix a leak of query fetchlock. [RT #38454]
- Fix a leak of pthread_mutexattr_t. [RT #38454]
- RPZ could send spurious SERVFAILs in response
to duplicate queries. [RT #38510]
- CDS and CDNSKEY had the wrong attributes. [RT #38491]
- adb hash table was not being grown. [RT #38470]
- Update bind.keyring
- Update baselibs.conf due to updates to libdns160 and libisc148
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=166
- Update to version 9.10.1-P1
- A flaw in delegation handling could be exploited to put named into an
infinite loop. This has been addressed by placing limits on the number of
levels of recursion named will allow (default 7), and the number of
iterative queries that it will send (default 50) before terminating a
recursive query (CVE-2014-8500); (bnc#908994).
The recursion depth limit is configured via the "max-recursion-depth"
option, and the query limit via the "max-recursion-queries" option.
[RT #37580]
- When geoip-directory was reconfigured during named run-time, the
previously loaded GeoIP data could remain, potentially causing wrong ACLs
to be used or wrong results to be served based on geolocation
(CVE-2014-8680). [RT #37720]; (bnc#908995).
- Lookups in GeoIP databases that were not loaded could cause an assertion
failure (CVE-2014-8680). [RT #37679]; (bnc#908995).
- The caching of GeoIP lookups did not always handle address families
correctly, potentially resulting in an assertion failure (CVE-2014-8680).
[RT #37672]; (bnc#908995).
OBS-URL: https://build.opensuse.org/request/show/264596
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=156
Merge request 264305:
- Convert some hard PreReq to leaner Requires(pre).
- Typograhical and orthographic fixes to description texts.
Changes already present with request 264243:
- Fix bashisms in the createNamedConfInclude script.
- Post scripts: remove '-e' option of 'echo' that may be unsupported
in some POSIX-compliant shells.
- Add openssl engines to the lwresd chroot.
- Add /etc/lwresd.conf with attribute ghost to the list of files.
- Add /run/lwresd to the list of files of the lwresd package.
- Shift /run/named from the chroot sub to the main bind package.
- Drop /proc from the chroot as multi CPU systems work fine even without it.
OBS-URL: https://build.opensuse.org/request/show/264325
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=155
- Add a versioned dependency when obsoleting packages.
- Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293).
- Fix gssapi_krb configure time header detection.
- Update root zone (dated Nov 5, 2014).
- Update to version 9.10.1
- This release addresses the security flaws described in CVE-2014-3214 and
CVE-2014-3859.
- Update to version 9.10.0
- Update to version 9.9.6
Cf the bind changes file for all the details of 9.9.6 till 9.10.1.
- Remove merged rpz2+rl-9.9.5.patch and obsoleted rpz2+rl-9.9.5.patch
- Update baselibs.conf (added libirs and library interface version updates).
OBS-URL: https://build.opensuse.org/request/show/264083
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=153
- Package dnssec-checkds and dnssec-coverage binaries and man pages only on
post-11.1 systems.
- Update to version 9.9.5P1
Various bugfixes and some feature fixes. (see CHANGES files)
Security and maintenance issues:
- [bug] Don't call qsort with a null pointer. [RT #35968]
- [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968]
- [port] linux: libcap support: declare curval at start of block. [RT #35387]
- Update to version 9.9.5
Various bugfixes and some feature fixes. (see CHANGES files)
- Updated to current rpz patch from·http://ss.vix.su/~vjs/rrlrpz.html
- rpz2-9.9.4.patch
+ rpz2+rl-9.9.5.patch
OBS-URL: https://build.opensuse.org/request/show/243329
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=144
* Fixes named crash when handling malformed NSEC3-signed zones
(CVE-2014-0591, bnc#858639)
* Obsoletes workaround-compile-problem.diff
- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now
supported upstream (--enable-rrl).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=134
Various bugfixes and some feature fixes. (see CHANGES files)
Security and maintenance issues:
- [security] Caching data from an incompletely signed zone could
trigger an assertion failure in resolver.c [RT #33690]
- [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
- [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
- [bug] Fixed several Coverity warnings.
Note: This change includes a fix for a bug that
was subsequently determined to be an exploitable
security vulnerability, CVE-2012-5688: named could
die on specific queries with dns64 enabled.
[RT #30996]
- [maint] Added AAAA for D.ROOT-SERVERS.NET.
- [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=115
https://kb.isc.org/article/AA-00828
* Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result of
specific queries that are received. (Note that this fix is a subset
of a series of updates that will be included in full in BIND 9.8.5
and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=107
https://kb.isc.org/article/AA-00798
Security:
* A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad
cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of the
named process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone
to determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
it will not be built or installed on systems that do not have a python
interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=100