2280b862ef
- Update to version 9.9.4P2 * Fixes named crash when handling malformed NSEC3-signed zones (CVE-2014-0591, bnc#858639) * Obsoletes workaround-compile-problem.diff - Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now supported upstream (--enable-rrl).
Reinhard Max2014-01-21 17:09:17 +00:00
d26e1590d4
Accepting request 210487 from network
Stephan Kulow
2013-12-13 12:01:42 +00:00
c13e4cf96e
Fix creation of /etc/named.conf.include .
Reinhard Max2013-12-09 12:23:41 +00:00
82e8a1d0eb
Accepting request 186266 from network
Tomáš Chvátal
2013-08-10 16:28:25 +00:00
e0efd1bf47
- Systemd doesn't set $TERM, and hence breaks tput (bnc#823175).
Reinhard Max2013-08-07 15:23:09 +00:00
b255a507e5
- Systemd doesn't set $TERM, and hence breaks tput.
Reinhard Max2013-08-07 15:21:50 +00:00
ef9b332868
- Improve pie_compile.diff (bnc#828874). - dnssec-checkds and dnssec-coverage need python-base. - disable rpath in libtool.
Reinhard Max2013-08-06 13:06:41 +00:00
2e7cad6b7d
dnssec-checkds and dnssec-coverage need python-base for building.
Reinhard Max2013-08-06 09:11:23 +00:00
28ef07b698
- Update to 9.9.3P2 fixes CVE-2013-4854, bnc#831899. * Incorrect bounds checking on private type 'keydata' can lead to a remotely triggerable REQUIRE failure.
Reinhard Max2013-08-05 14:51:21 +00:00
b557cafc2b
Accepting request 184213 from network
Stephan Kulow
2013-07-24 21:30:38 +00:00
7dbe78dc6a
- Use updated config.guess/sub in the embedded idnkit sources
Marcus Meissner2013-06-26 10:50:57 +00:00
8591e27de2
- Updated to 9.9.3-P1 Various bugfixes and some feature fixes. (see CHANGES files) Security and maintenance issues: - [security] Caching data from an incompletely signed zone could trigger an assertion failure in resolver.c [RT #33690] - [security] Support NAPTR regular expression validation on all platforms without using libregex, which can be vulnerable to memory exhaustion attack (CVE-2013-2266). [RT #32688] - [security] RPZ rules to generate A records (but not AAAA records) could trigger an assertion failure when used in conjunction with DNS64 (CVE-2012-5689). [RT #32141] - [bug] Fixed several Coverity warnings. Note: This change includes a fix for a bug that was subsequently determined to be an exploitable security vulnerability, CVE-2012-5688: named could die on specific queries with dns64 enabled. [RT #30996] - [maint] Added AAAA for D.ROOT-SERVERS.NET. - [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
Marcus Meissner2013-06-26 10:50:27 +00:00
adb3422044
Accepting request 174827 from network
Stephan Kulow
2013-05-13 12:43:11 +00:00
e2db8fe61f
Accepting request 174818 from devel:ARM:AArch64:Factory
Marcus Meissner2013-05-08 13:45:12 +00:00
65bfa5b3d2
Accepting request 161413 from network
Stephan Kulow
2013-03-28 12:09:59 +00:00
eec4a4f40d
- Updated to 9.9.2-P2 (bnc#811876) Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266 * Security Fixes Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] - added gpg key source verification
Marcus Meissner2013-03-27 12:36:47 +00:00
636c118d37
- Updated to 9.9.2-P1 (bnc#792926) https://kb.isc.org/article/AA-00828 * Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python;
Marcus Meissner2012-12-06 08:05:49 +00:00
2f2a5e17d4
Accepting request 141805 from network
Stephan Kulow
2012-11-20 09:15:16 +00:00
d3e988aaee
- updated to 9.9.2 https://kb.isc.org/article/AA-00798 Security: * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * Adds configuration option "max-rsa-exponent-size <value>;" that can
Marcus Meissner2012-11-14 10:25:52 +00:00
c9d0046524
- Specially crafted DNS data can cause a lockup in named. CVE-2012-5166, bnc#784602. - 9.9.1-P4
Marcus Meissner2012-10-19 12:14:00 +00:00
5f51f43efe
Accepting request 134434 from network
Stephan Kulow
2012-09-17 11:47:56 +00:00
a16486cc98
- Named could die on specially crafted record. [RT #30416] (bnc#780157) CVE-2012-4244 - 9.9.1-P3 - updated dnszone-schema.txt from upstream.
Marcus Meissner2012-09-15 16:23:25 +00:00
864a31b0ad
Accepting request 128983 from network
Stephan Kulow
2012-07-31 11:27:12 +00:00
Marcus Meissner
Stephan Kulow
Reinhard Max
Tomáš Chvátal
Michael Schröder
Ismail Dönmez
Uwe Gansert
Ruediger Oertel
Pavol Rusnak
Lars Vogdt
Sascha Peilicke
Ralf Haferkamp