* Fixes named crash when handling malformed NSEC3-signed zones
(CVE-2014-0591, bnc#858639)
* Obsoletes workaround-compile-problem.diff
- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now
supported upstream (--enable-rrl).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=134
- Updated to 9.9.3-P1
Various bugfixes and some feature fixes. (see CHANGES files)
Security and maintenance issues:
- [security] Caching data from an incompletely signed zone could
trigger an assertion failure in resolver.c [RT #33690]
- [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
- [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
- [bug] Fixed several Coverity warnings.
Note: This change includes a fix for a bug that
was subsequently determined to be an exploitable
security vulnerability, CVE-2012-5688: named could
die on specific queries with dns64 enabled.
[RT #30996]
- [maint] Added AAAA for D.ROOT-SERVERS.NET.
- [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
- Updated to current rate limiting + rpz patch from
http://ss.vix.su/~vjs/rrlrpz.html
- moved dnssec-* helpers to bind-utils package. bnc#813911
OBS-URL: https://build.opensuse.org/request/show/181326
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=90
Various bugfixes and some feature fixes. (see CHANGES files)
Security and maintenance issues:
- [security] Caching data from an incompletely signed zone could
trigger an assertion failure in resolver.c [RT #33690]
- [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
- [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
- [bug] Fixed several Coverity warnings.
Note: This change includes a fix for a bug that
was subsequently determined to be an exploitable
security vulnerability, CVE-2012-5688: named could
die on specific queries with dns64 enabled.
[RT #30996]
- [maint] Added AAAA for D.ROOT-SERVERS.NET.
- [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=115
- Updated to 9.9.2-P1 (bnc#792926)
https://kb.isc.org/article/AA-00828
* Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result of
specific queries that are received. (Note that this fix is a subset
of a series of updates that will be included in full in BIND 9.8.5
and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
OBS-URL: https://build.opensuse.org/request/show/144433
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=86
https://kb.isc.org/article/AA-00828
* Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result of
specific queries that are received. (Note that this fix is a subset
of a series of updates that will be included in full in BIND 9.8.5
and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=107
- updated to 9.9.2
https://kb.isc.org/article/AA-00798
Security:
* A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad
cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of the
named process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone
to determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
it will not be built or installed on systems that do not have a python
interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can
OBS-URL: https://build.opensuse.org/request/show/141386
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=84
https://kb.isc.org/article/AA-00798
Security:
* A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad
cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of the
named process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone
to determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
it will not be built or installed on systems that do not have a python
interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=100
- Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [RT #30025]
(bnc#772945)
- ISC_QUEUE handling for recursive clients was updated to address a
race condition that could cause a memory leak. This rarely occurred
with UDP clients, but could be a significant problem for a server
handling a steady rate of TCP queries. [RT #29539 & #30233]
- Under heavy incoming TCP query loads named could experience a
memory leak which could lead to significant reductions in query
response or cause the server to be terminated on systems with
"out of memory" killers. [RT #29539]
(bnc#772946)
- A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [RT #29644]
- 9.9.1-P2
- license update: ISC
ISC is generally seen as the correct license for bind
OBS-URL: https://build.opensuse.org/request/show/128983
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=81
- this version has no new features but only bugfixes
- Addresses a race condition that can cause named to to crash when
the masters list for a zone is updated via rndc reload/reconfig
- Fixes a race condition in zone.c that can cause named to crash
during the processing of rndc delzone
- Prevents a named segfault from resolver.c due to procedure
fctx_finddone() not being thread-safe
- SDB now handles unexpected errors from back-end database drivers
gracefully instead of exiting on an assert.
- Prevents named crashes as a result of dereferencing a NULL pointer
in zmgr_start_xfrin_ifquota if the zone was being removed while
there were zone transfers still pending
- Corrects a parser bug that could cause named to crash while
reading a malformed zone file
- many more smaller fixes
- version 9.9.1
OBS-URL: https://build.opensuse.org/request/show/121732
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=78
