From d3e988aaee75838b451c757625394fb337b8018191d10527771d9269b317cd95 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 14 Nov 2012 10:25:52 +0000 Subject: [PATCH] - updated to 9.9.2 https://kb.isc.org/article/AA-00798 Security: * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * Adds configuration option "max-rsa-exponent-size ;" that can OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=100 --- bind-9.9.1-P4.tar.gz | 3 --- bind-9.9.2.tar.gz | 3 +++ bind.changes | 46 ++++++++++++++++++++++++++++++++++++++++++++ bind.spec | 4 ++-- 4 files changed, 51 insertions(+), 5 deletions(-) delete mode 100644 bind-9.9.1-P4.tar.gz create mode 100644 bind-9.9.2.tar.gz diff --git a/bind-9.9.1-P4.tar.gz b/bind-9.9.1-P4.tar.gz deleted file mode 100644 index b826cb6..0000000 --- a/bind-9.9.1-P4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:18f90727fd9566da037e71569d9b3a4834c96b04d9e75f9899eba0bc88c0868a -size 7227655 diff --git a/bind-9.9.2.tar.gz b/bind-9.9.2.tar.gz new file mode 100644 index 0000000..5ba33b8 --- /dev/null +++ b/bind-9.9.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7e6530b198d512e27a856bbd7426b1a3c47fd55d06d667adb66f760259009b48 +size 7285050 diff --git a/bind.changes b/bind.changes index ec23e42..e595f8d 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Wed Nov 14 10:24:42 UTC 2012 - meissner@suse.com + +- updated to 9.9.2 + https://kb.isc.org/article/AA-00798 + + Security: + * A deliberately constructed combination of records could cause + named to hang while populating the additional section of a + response. [CVE-2012-5166] [RT #31090] + * Prevents a named assert (crash) when queried for a record whose + RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] + * Prevents a named assert (crash) when validating caused by using "Bad + cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] + * A condition has been corrected where improper handling of zero-length + RDATA could cause undesirable behavior, including termination of the + named process. [CVE-2012-1667] [RT #29644] + * ISC_QUEUE handling for recursive clients was updated to address a race + condition that could cause a memory leak. This rarely occurred with + UDP clients, but could be a significant problem for a server handling + a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] + + New Features + + * Elliptic Curve Digital Signature Algorithm keys and signatures in + DNSSEC are now supported per RFC 6605. [RT #21918] + * Introduces a new tool "dnssec-checkds" command that checks a zone + to determine which DS records should be published in the parent zone, + or which DLV records should be published in a DLV zone, and queries + the DNS to ensure that it exists. (Note: This tool depends on python; + it will not be built or installed on systems that do not have a python + interpreter.) [RT #28099] + * Introduces a new tool "dnssec-verify" that validates a signed zone, + checking for the correctness of signatures and NSEC/NSEC3 chains. + [RT #23673] + * Adds configuration option "max-rsa-exponent-size ;" that can + be used to specify the maximum rsa exponent size that will be accepted + when validating [RT #29228] + + Feature Changes + + * Improves OpenSSL error logging [RT #29932] + * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] + + Lots of bugfixes. + ------------------------------------------------------------------- Fri Oct 19 12:11:55 UTC 2012 - meissner@suse.com diff --git a/bind.spec b/bind.spec index 76773a7..8e4dded 100644 --- a/bind.spec +++ b/bind.spec @@ -18,7 +18,7 @@ Name: bind %define pkg_name bind -%define pkg_vers 9.9.1-P4 +%define pkg_vers 9.9.2 BuildRequires: krb5-devel BuildRequires: libcap BuildRequires: libcap-devel @@ -32,7 +32,7 @@ BuildRequires: update-desktop-files Summary: Domain Name System (DNS) Server (named) License: ISC Group: Productivity/Networking/DNS/Servers -Version: 9.9.1P3 +Version: 9.9.2 Release: 0 Provides: bind8 Provides: bind9