Revisions of bind
Dominique Leuenberger (dimstar_suse)
accepted
request 319467
from
Lars Müller (lmuelle)
(revision 108)
- Update to version 9.10.2-P3 Security Fixes * A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #39795] * On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] Bug Fixes * Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] * Several bugs have been fixed in the RPZ implementation: + Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229] + The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415] + On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567] + The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481] + The server could crash if a reload of an RPZ zone was initiated while
Stephan Kulow (coolo)
accepted
request 317302
from
Factory Maintainer (factory-maintainer)
(revision 107)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 313681
from
Factory Maintainer (factory-maintainer)
(revision 106)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 305964
from
Lars Müller (lmuelle)
(revision 105)
- Depend on systemd macros and sysvinit on post-12.3 only. - Create empty lwresd.conf at build time. - Reduce file list pre-13.1. - Update to version 9.10.2 - Handle timeout in legacy system test. [RT #38573] - dns_rdata_freestruct could be called on a uninitialised structure when handling a error. [RT #38568] - Addressed valgrind warnings. [RT #38549] - UDP dispatches could use the wrong pseudorandom number generator context. [RT #38578] - Fixed several small bugs in automatic trust anchor management, including a memory leak and a possible loss of key state information. [RT #38458] - 'dnssec-dsfromkey -T 0' failed to add ttl field. [RT #38565] - Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344] - Fix a leak of query fetchlock. [RT #38454] - Fix a leak of pthread_mutexattr_t. [RT #38454] - RPZ could send spurious SERVFAILs in response to duplicate queries. [RT #38510] - CDS and CDNSKEY had the wrong attributes. [RT #38491] - adb hash table was not being grown. [RT #38470] - Update bind.keyring - Update baselibs.conf due to updates to libdns160 and libisc148 - Enable export libraries to support plugin development. Install DNSSEC root key. Expose new interface for developing dynamic zone database. + dns_dynamic_db.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 285623
from
Marcus Meissner (msmeissn)
(revision 104)
- PowerPC can build shared libraries for sure. idnkit-powerpc-ltconfig.patch (forwarded request 285468 from k0da)
Dominique Leuenberger (dimstar_suse)
accepted
request 282345
from
Factory Maintainer (factory-maintainer)
(revision 103)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 264811
from
Lars Müller (lmuelle)
(revision 102)
- Corrections to baselibs.conf - Update to version 9.10.1-P1 - A flaw in delegation handling could be exploited to put named into an infinite loop. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and the number of iterative queries that it will send (default 50) before terminating a recursive query (CVE-2014-8500); (bnc#908994). The recursion depth limit is configured via the "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580] - When geoip-directory was reconfigured during named run-time, the previously loaded GeoIP data could remain, potentially causing wrong ACLs to be used or wrong results to be served based on geolocation (CVE-2014-8680). [RT #37720]; (bnc#908995). - Lookups in GeoIP databases that were not loaded could cause an assertion failure (CVE-2014-8680). [RT #37679]; (bnc#908995). - The caching of GeoIP lookups did not always handle address families correctly, potentially resulting in an assertion failure (CVE-2014-8680). [RT #37672]; (bnc#908995). - Convert some hard PreReq to leaner Requires(pre). - Typographical and orthographic fixes to description texts. - Fix bashisms in the createNamedConfInclude script. - Post scripts: remove '-e' option of 'echo' that may be unsupported in some POSIX-compliant shells. - Add openssl engines to the lwresd chroot. - Add /etc/lwresd.conf with attribute ghost to the list of files.
Adrian Schröter (adrianSuSE)
committed
(revision 100)
Split 13.2 from Factory
Stephan Kulow (coolo)
accepted
request 236023
from
Sascha Peilicke (saschpe)
(revision 98)
add stuff for DNSSEC validation to named.conf (forwarded request 235970 from computersalat)
Stephan Kulow (coolo)
accepted
request 233016
from
Reinhard Max (rmax)
(revision 97)
- use %_rundir macro - Remove obsolete patch "workaround-compile-problem.diff"
Stephan Kulow (coolo)
accepted
request 215020
from
Reinhard Max (rmax)
(revision 96)
- Add the sdb-ldap backend module (fate#313216). - Details can be found here: * http://bind9-ldap.bayour.com/ * http://bind9-ldap.bayour.com/dnszonehowto.html - Update to version 9.9.4P2 * Fixes named crash when handling malformed NSEC3-signed zones (CVE-2014-0591, bnc#858639) * Obsoletes workaround-compile-problem.diff - Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now supported upstream (--enable-rrl).
Stephan Kulow (coolo)
accepted
request 210487
from
Reinhard Max (rmax)
(revision 95)
- Fix generation of /etc/named.conf.include (bnc#828678, bnc#848777, bnc#814978).
Adrian Schröter (adrianSuSE)
committed
(revision 94)
Split 13.1 from Factory
Tomáš Chvátal (scarabeus_factory)
accepted
request 186266
from
Reinhard Max (rmax)
(revision 93)
- Systemd doesn't set $TERM, and hence breaks tput (bnc#823175). - Improve pie_compile.diff (bnc#828874). - dnssec-checkds and dnssec-coverage need python-base. - disable rpath in libtool. - Update to 9.9.3P2 fixes CVE-2013-4854, bnc#831899. * Incorrect bounds checking on private type 'keydata' can lead to a remotely triggerable REQUIRE failure.
Stephan Kulow (coolo)
accepted
request 184213
from
Reinhard Max (rmax)
(revision 92)
- Remove non-working apparmor profiles (bnc#740327).
Stephan Kulow (coolo)
accepted
request 181326
from
Marcus Meissner (msmeissn)
(revision 90)
- Updated to 9.9.3-P1 Various bugfixes and some feature fixes. (see CHANGES files) Security and maintenance issues: - [security] Caching data from an incompletely signed zone could trigger an assertion failure in resolver.c [RT #33690] - [security] Support NAPTR regular expression validation on all platforms without using libregex, which can be vulnerable to memory exhaustion attack (CVE-2013-2266). [RT #32688] - [security] RPZ rules to generate A records (but not AAAA records) could trigger an assertion failure when used in conjunction with DNS64 (CVE-2012-5689). [RT #32141] - [bug] Fixed several Coverity warnings. Note: This change includes a fix for a bug that was subsequently determined to be an exploitable security vulnerability, CVE-2012-5688: named could die on specific queries with dns64 enabled. [RT #30996] - [maint] Added AAAA for D.ROOT-SERVERS.NET. - [maint] D.ROOT-SERVERS.NET is now 199.7.91.13. - Updated to current rate limiting + rpz patch from http://ss.vix.su/~vjs/rrlrpz.html - moved dnssec-* helpers to bind-utils package. bnc#813911
Stephan Kulow (coolo)
accepted
request 174827
from
Marcus Meissner (msmeissn)
(revision 89)
- Use updated config.guess/sub in the embedded idnkit sources (forwarded request 174818 from Andreas_Schwab)
Displaying revisions 101 - 120 of 208