- Updated to 9.9.2-P1 (bnc#792926)
https://kb.isc.org/article/AA-00828
* Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result of
specific queries that are received. (Note that this fix is a subset
of a series of updates that will be included in full in BIND 9.8.5
and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
OBS-URL: https://build.opensuse.org/request/show/144433
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=86
https://kb.isc.org/article/AA-00828
* Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result of
specific queries that are received. (Note that this fix is a subset
of a series of updates that will be included in full in BIND 9.8.5
and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=107
- updated to 9.9.2
https://kb.isc.org/article/AA-00798
Security:
* A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad
cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of the
named process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone
to determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
it will not be built or installed on systems that do not have a python
interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can
OBS-URL: https://build.opensuse.org/request/show/141386
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=84
https://kb.isc.org/article/AA-00798
Security:
* A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad
cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of the
named process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone
to determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
it will not be built or installed on systems that do not have a python
interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=100
- Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [RT #30025]
(bnc#772945)
- ISC_QUEUE handling for recursive clients was updated to address a
race condition that could cause a memory leak. This rarely occurred
with UDP clients, but could be a significant problem for a server
handling a steady rate of TCP queries. [RT #29539 & #30233]
- Under heavy incoming TCP query loads named could experience a
memory leak which could lead to significant reductions in query
response or cause the server to be terminated on systems with
"out of memory" killers. [RT #29539]
(bnc#772946)
- A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [RT #29644]
- 9.9.1-P2
- license update: ISC
ISC is generally seen as the correct license for bind
OBS-URL: https://build.opensuse.org/request/show/128983
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=81
- this version has no new features but only bugfixes
- Addresses a race condition that can cause named to to crash when
the masters list for a zone is updated via rndc reload/reconfig
- Fixes a race condition in zone.c that can cause named to crash
during the processing of rndc delzone
- Prevents a named segfault from resolver.c due to procedure
fctx_finddone() not being thread-safe
- SDB now handles unexpected errors from back-end database drivers
gracefully instead of exiting on an assert.
- Prevents named crashes as a result of dereferencing a NULL pointer
in zmgr_start_xfrin_ifquota if the zone was being removed while
there were zone transfers still pending
- Corrects a parser bug that could cause named to crash while
reading a malformed zone file
- many more smaller fixes
- version 9.9.1
OBS-URL: https://build.opensuse.org/request/show/121732
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=78
- many dnssec fixes and features (too many to list them
here, check the changelog)
- improved startup time
- improved scalability
- Added support for Uniform Resource Identifier (URI) resource
records
- Local copies of slave zones are now saved in raw format by
default to improve startup performance
BIND 9.9 changes the default storage format for slave zone
files from text to raw. Because named's behavior when a slave
server cannot read or parse a zone file is to move the offending
file out of the way and retransfer the zone, slave servers
that are updated from a pre-9.9.0 version of BIND and which
have existing copies of slave zone data may wind up with
extraneous copies of zone data stored, as the existing
text-format zone file copies will be moved aside to filenames
of the format db-###### and journal files to the format
jn-###### (where # represents a hexadecimal digit.)
- many many bugfixes. Please read changelog for details
- fixed handling of TXT records in ldapdump
(bnc#743758)
- 9.9.0
OBS-URL: https://build.opensuse.org/request/show/116455
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=76
* fixed SSL in chroot environment (bnc#715881)
* Added a new include file with function typedefs for the DLZ
"dlopen" driver. [RT #23629]
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
* The root key is now provided in the file bind.keys allowing DNSSEC
validation to be switched on at start up by adding
"dnssec-validation auto;" to named.conf. If the root key provided
has expired, named will log the expiration and validation will not
work. More information and the most current copy of bind.keys can
be found at http://www.isc.org/bind-keys. *Please note this feature
was actually added in 9.8.0 but was not included in the 9.8.0
release notes. [RT #21727]
* If named is configured with a response policy zone (RPZ) and a
query of type RRSIG is received for a name configured for RRset
replacement in that RPZ, it will trigger an INSIST and crash the
server. RRSIG. [RT #24280]
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
query type independant. [RT #24715]
* Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label can cause named to crash. Now logs that
DNAME is not supported. [RT #24766]
* Change #2912 populated the message section in replies to UPDATE
OBS-URL: https://build.opensuse.org/request/show/80897
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=70
