- Updated to 9.9.2-P1 (bnc#792926)

https://kb.isc.org/article/AA-00828
  * Security Fixes
    Prevents named from aborting with a require assertion failure on
    servers with DNS64 enabled.  These crashes might occur as a result of
    specific queries that are received.  (Note that this fix is a subset
    of a series of updates that will be included in full in BIND 9.8.5
    and 9.9.3 as change #3388, RT #30996).  [CVE-2012-5688] [RT #30792]
    A deliberately constructed combination of records could cause
    named to hang while populating the additional section of a
    response. [CVE-2012-5166] [RT #31090]
    Prevents a named assert (crash) when queried for a record whose
    RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]
    Prevents a named assert (crash) when validating caused by using
    "Bad cache" data before it has been initialized. [CVE-2012-3817]
    [RT #30025]
    A condition has been corrected where improper handling of zero-length
    RDATA could cause undesirable behavior, including termination of
    the named process. [CVE-2012-1667]  [RT #29644]
    ISC_QUEUE handling for recursive clients was updated to address a race
    condition that could cause a memory leak. This rarely occurred with
    UDP clients, but could be a significant problem for a server handling
    a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539 & #30233]
New Features
    Elliptic Curve Digital Signature Algorithm keys and signatures in
    DNSSEC are now supported per RFC 6605. [RT #21918]
    Introduces a new tool "dnssec-checkds" command that checks a zone to
    determine which DS records should be published in the parent zone,
    or which DLV records should be published in a DLV zone, and queries
    the DNS to ensure that it exists. (Note: This tool depends on python;

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=107

bind-9.9.2-P1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4bce7c020402623333b655be5167ae8c52f30a6bfe9750caa3ab70da7d90219c
+size 7277498

bind-9.9.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7e6530b198d512e27a856bbd7426b1a3c47fd55d06d667adb66f760259009b48
-size 7285050

bind.changes

@@ -1,3 +1,159 @@
+-------------------------------------------------------------------
+Thu Dec  6 08:00:31 UTC 2012 - meissner@suse.com
+
+- Updated to 9.9.2-P1 (bnc#792926)
+  https://kb.isc.org/article/AA-00828
+  * Security Fixes
+
+    Prevents named from aborting with a require assertion failure on
+    servers with DNS64 enabled.  These crashes might occur as a result of
+    specific queries that are received.  (Note that this fix is a subset
+    of a series of updates that will be included in full in BIND 9.8.5
+    and 9.9.3 as change #3388, RT #30996).  [CVE-2012-5688] [RT #30792]
+
+    A deliberately constructed combination of records could cause
+    named to hang while populating the additional section of a
+    response. [CVE-2012-5166] [RT #31090]
+
+    Prevents a named assert (crash) when queried for a record whose
+    RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]
+
+    Prevents a named assert (crash) when validating caused by using
+    "Bad cache" data before it has been initialized. [CVE-2012-3817]
+    [RT #30025]
+
+    A condition has been corrected where improper handling of zero-length
+    RDATA could cause undesirable behavior, including termination of
+    the named process. [CVE-2012-1667]  [RT #29644]
+
+    ISC_QUEUE handling for recursive clients was updated to address a race
+    condition that could cause a memory leak. This rarely occurred with
+    UDP clients, but could be a significant problem for a server handling
+    a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539 & #30233]
+
+New Features
+
+    Elliptic Curve Digital Signature Algorithm keys and signatures in
+    DNSSEC are now supported per RFC 6605. [RT #21918]
+
+    Introduces a new tool "dnssec-checkds" command that checks a zone to
+    determine which DS records should be published in the parent zone,
+    or which DLV records should be published in a DLV zone, and queries
+    the DNS to ensure that it exists. (Note: This tool depends on python;
+    it will not be built or installed on systems that do not have a
+    python interpreter.)  [RT #28099]
+
+    Introduces a new tool "dnssec-verify" that validates a signed zone,
+    checking for the correctness of signatures and NSEC/NSEC3 chains.
+    [RT #23673]
+
+    Adds configuration option "max-rsa-exponent-size <value>;" that
+    can be used to specify the maximum rsa exponent size that will be
+    accepted when validating [RT #29228]
+
+Feature Changes
+
+    Improves OpenSSL error logging [RT #29932]
+    nslookup now returns a nonzero exit code when it is unable to get
+    an answer.  [RT #29492]
+
+Bug Fixes
+
+    Uses binary mode to open raw files on Windows.  [RT #30944]
+    When using DNSSEC inline signing with "rndc signing -nsec3param", a
+    salt value of "-" can now be used to indicate 'no salt'.  [RT #30099]
+    Prevents race conditions (address use after free) that could be
+    encountered when named is shutting down and releasing structures
+    used to manage recursive clients.  [RT #30241]
+    Static-stub zones now accept "forward" and "fowarders" options
+    (often needed for subdomains of the zone referenced to override
+    global forwarding options).  These options are already available
+    with traditional stub zones and their omission from zones of type
+    "static-stub" was an inadvertent oversight. [RT #30482]
+    Limits the TTL of signed RRsets in cache when their RRSIGs are
+    approaching expiry. This prevents the persistence in cache of
+    invalid RRSIGs in order to assist recovery from a situation where
+    zone re-signing doesn't occur in a timely manner.   With this change,
+    named will attempt to obtain new RRSIGs from the authoritative server
+    once the original ones have expired, and even if the TTL of the old
+    records would in other circumstances cause them to be kept in cache
+    for longer.  [RT #26429]
+    Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
+    which are employed on Itanium systems to speed up lock management
+    by making use of atomic operations.  Without the syntax correction
+    it is possible that concurrent access to the same structures could
+    accidentally occur with unpredictable results.  [RT #25181]
+    Improves OpenSSL error logging [RT #29932]
+    The configure script now supports and detects libxml2-2.8.x correctly
+    [RT #30440]
+    The host command should no longer assert on some architectures
+    and builds while handling the time values used with the -w (wait
+    forever) option.  [RT #18723]
+    Invalid zero settings for max-retry-time, min-retry-time,
+    max-refresh-time, min-refresh-time will now be detected during parsing
+    of named.conf and an error emitted instead of triggering an assertion
+    failure on startup.  [RT #27730]
+    Removes spurious newlines from log messages in zone.c [RT #30675]
+    When built with readline support (i.e. on a system with readline
+    installed) nsupdate no longer terminates unexpectedly in interactive
+    mode. [RT #29550]
+    All named tasks that perform task-exclusive operations now share the
+    same single task.  Prior to this change, there was the possibility of
+    a race condition between rndc operations and other functions such as
+    re-sizing the adb hash table.  If the race condition was encountered,
+    named would in most cases terminate unexpectedly with an assert.
+    [RT #29872]
+    Ensures that servers are expired from the ADB cache when the timeout
+    limit is reached so that their learned attributes can be refreshed.
+    Prior to this change, servers that were frequently queried might
+    never have their entries removed and reinitialized.  This is of
+    particular importance to DNSSEC-validating recursive servers that
+    might erroneously set "no-edns" for an authoritative server following
+    a period of intermittent connectivity. [RT #29856]
+    Adds additional resilience to a previous security change (3218) by
+    preventing RRSIG data from being added to cache when a pseudo-record
+    matching the covering type and proving non-existence exists at a
+    higher trust level. The earlier change prevented this inconsistent
+    data from being retrieved from cache in response to client queries  -
+    with this additional change, the RRSIG records are no longer inserted
+    into cache at all. [RT #26809]
+    dnssec-settime will now issue a warning when the writing of a new
+    private key file would cause a change in the permissions of the
+    existing file. [RT #27724]
+    Fixes the defect introduced by change #3314 that was causing failures
+    when saving stub zones to disk (resulting in excessive CPU usage in
+    some cases).  [RT #29952]
+    Address race condition in units tests: asyncload_zone and
+    asyncload_zt. [RT #26100]
+    It is now possible to using multiple control keys again - this
+    functionality was inadvertently broken by change #3924 (RT #28265)
+    which addressed a memory leak. [RT #29694]
+    Named now holds a zone table reference while performing an
+    asynchronous load of a zone.  This removes a race condition that
+    could cause named to crash when zones are added using rndc addzone
+    or by manually editing named's configuration file followed by rndc
+    reconfig/reload. [RT #28326]
+    Setting resolver-query-timeout too low could cause named problems
+    recovering after a loss of connectivity.  [RT #29623]
+    Reduces the potential build-up of stale RRsets in cache on a busy
+    recursive nameserver by re-using cached DS and RRSIG rrsets when
+    possible [RT #29446]
+    Corrects a failure to authenticate non-existence of resource records
+    in some circumstances when RPZ has been configured.  Also:
+        adds an optional "recursive-only yes|no" to the response-policy
+        statement
+        adds an optional "max-policy-ttl" to the response-policy statement
+        to limit the false data that "recursive-only no" can introduce
+        into resolvers' caches
+        introduces a predefined encoding of PASSTHRU policy by adding
+        "rpz-passthru" to be used as the target of CNAME policy records
+        (the old encoding is still accepted.)
+        adds a RPZ performance test to bin/tests/system/rpz when queryperf is available.  [RT #26172]
+    Upper-case/lower-case handling of RRSIG signer-names is now handled
+    consistently: RRSIG records are generated with the signer-name in
+    lower case. They are accepted with any case, but if they fail to
+    validate, we try again in lower case. [RT #27451]
+
 -------------------------------------------------------------------
 Sun Nov 18 18:12:08 UTC 2012 - meissner@suse.com
 

bind.spec

@@ -18,7 +18,7 @@
 
 Name:           bind
 %define pkg_name bind
-%define pkg_vers 9.9.2
+%define pkg_vers 9.9.2-P1
 BuildRequires:  krb5-devel
 BuildRequires:  libcap
 BuildRequires:  libcap-devel
@@ -32,7 +32,7 @@ BuildRequires:  update-desktop-files
 Summary:        Domain Name System (DNS) Server (named)
 License:        ISC
 Group:          Productivity/Networking/DNS/Servers
-Version:        9.9.2
+Version:        9.9.2P1
 Release:        0
 Provides:       bind8
 Provides:       bind9