- Updated to 9.9.2-P2 (bnc#811876)
  Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266
  * Security Fixes
    Removed the check for regex.h in configure in order to disable regex
    syntax checking, as it exposes BIND to a critical flaw in libregex
    on some platforms. [RT #32688]
- added gpg key source verification

• Files Changed
• Browse Source

Split 12.3 from Factory

• Files Changed
• Browse Source

- Updated to 9.9.2-P1 (bnc#792926)
  https://kb.isc.org/article/AA-00828
  * Security Fixes
    Prevents named from aborting with a require assertion failure on
    servers with DNS64 enabled.  These crashes might occur as a result of
    specific queries that are received.  (Note that this fix is a subset
    of a series of updates that will be included in full in BIND 9.8.5
    and 9.9.3 as change #3388, RT #30996).  [CVE-2012-5688] [RT #30792]
    A deliberately constructed combination of records could cause
    named to hang while populating the additional section of a
    response. [CVE-2012-5166] [RT #31090]
    Prevents a named assert (crash) when queried for a record whose
    RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]
    Prevents a named assert (crash) when validating caused by using
    "Bad cache" data before it has been initialized. [CVE-2012-3817]
    [RT #30025]
    A condition has been corrected where improper handling of zero-length
    RDATA could cause undesirable behavior, including termination of
    the named process. [CVE-2012-1667]  [RT #29644]
    ISC_QUEUE handling for recursive clients was updated to address a race
    condition that could cause a memory leak. This rarely occurred with
    UDP clients, but could be a significant problem for a server handling
    a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539 & #30233]
New Features
    Elliptic Curve Digital Signature Algorithm keys and signatures in
    DNSSEC are now supported per RFC 6605. [RT #21918]
    Introduces a new tool "dnssec-checkds" command that checks a zone to
    determine which DS records should be published in the parent zone,
    or which DLV records should be published in a DLV zone, and queries
    the DNS to ensure that it exists. (Note: This tool depends on python;

• Files Changed
• Browse Source

- added a ratelimiting (draft RFC) patch from Paul Vixie.
  see http://www.redbarn.org/dns/ratelimits
  suggested by Stefan Schaefer <stefan@invis-server.org>

• Files Changed
• Browse Source

- updated to 9.9.2
  https://kb.isc.org/article/AA-00798
  Security:
  * A deliberately constructed combination of records could cause
    named to hang while populating the additional section of a
    response. [CVE-2012-5166] [RT #31090]
  * Prevents a named assert (crash) when queried for a record whose
    RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]
  * Prevents a named assert (crash) when validating caused by using "Bad
    cache" data before it has been initialized. [CVE-2012-3817]  [RT #30025]
  * A condition has been corrected where improper handling of zero-length
    RDATA could cause undesirable behavior, including termination of the
    named process. [CVE-2012-1667]  [RT #29644]
  * ISC_QUEUE handling for recursive clients was updated to address a race
    condition that could cause a memory leak. This rarely occurred with
    UDP clients, but could be a significant problem for a server handling
    a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539 & #30233]
  New Features
  * Elliptic Curve Digital Signature Algorithm keys and signatures in
    DNSSEC are now supported per RFC 6605. [RT #21918]
  * Introduces a new tool "dnssec-checkds" command that checks a zone
    to determine which DS records should be published in the parent zone,
    or which DLV records should be published in a DLV zone, and queries
    the DNS to ensure that it exists. (Note: This tool depends on python;
    it will not be built or installed on systems that do not have a python
    interpreter.)  [RT #28099]
  * Introduces a new tool "dnssec-verify" that validates a signed zone,
    checking for the correctness of signatures and NSEC/NSEC3 chains.
    [RT #23673]
  * Adds configuration option "max-rsa-exponent-size <value>;" that can

• Files Changed
• Browse Source

- Specially crafted DNS data can cause a lockup in named.
  CVE-2012-5166, bnc#784602.
- 9.9.1-P4

• Files Changed
• Browse Source

- Named could die on specially crafted record.
  [RT #30416] (bnc#780157) CVE-2012-4244
- 9.9.1-P3
- updated dnszone-schema.txt from upstream.

• Files Changed
• Browse Source

- Prevents a named assert (crash) when validating caused by using
  "Bad cache" data before it has been initialized.  [RT #30025]
  (bnc#772945)
- ISC_QUEUE handling for recursive clients was updated to address a
  race condition that could cause a memory leak.  This rarely occurred
  with UDP clients, but could be a significant problem for a server
  handling a steady rate of TCP queries.  [RT #29539 & #30233]
- Under heavy incoming TCP query loads named could experience a
  memory leak which could lead to significant reductions in query
  response or cause the server to be terminated on systems with
  "out of memory" killers. [RT #29539]
  (bnc#772946)
- A condition has been corrected where improper handling of zero-length
  RDATA could cause undesirable behavior, including termination of
  the named process.  [RT #29644]
- 9.9.1-P2

- license update: ISC
  ISC is generally seen as the correct license for bind

• Files Changed
• Browse Source

branched from openSUSE:Factory

• Files Changed
• Browse Source

- updated dnszone-schema.txt

- VUL-0: bind remote DoS via zero length rdata field
  CVE-2012-1667
  bnc#765315
- 9.9.1-P1

• Files Changed
• Browse Source

- this version has no new features but only bugfixes
- Addresses a race condition that can cause named to to crash when
  the masters list for a zone is updated via rndc reload/reconfig
- Fixes a race condition in zone.c that can cause named to crash
  during the processing of rndc delzone
- Prevents a named segfault from resolver.c due to procedure
  fctx_finddone() not being thread-safe
- SDB now handles unexpected errors from back-end database drivers
  gracefully instead of exiting on an assert.
- Prevents named crashes as a result of dereferencing a NULL pointer
  in zmgr_start_xfrin_ifquota if the zone was being removed while
  there were zone transfers still pending
- Corrects a parser bug that could cause named to crash while
  reading a malformed zone file
- many more smaller fixes
- version 9.9.1

• Files Changed
• Browse Source

- added patch to fix an assertion failure

• Files Changed
• Browse Source

- many dnssec fixes and features (too many to list them
  here, check the changelog)
- improved startup time
- improved scalability
- Added support for Uniform Resource Identifier (URI) resource
  records
- Local copies of slave zones are now saved in raw format by
  default to improve startup performance
  BIND 9.9 changes the default storage format for slave zone
  files from text to raw.  Because named's behavior when a slave
  server cannot read or parse a zone file is to move the offending
  file out of the way and retransfer the zone, slave servers
  that are updated from a pre-9.9.0 version of BIND and which
  have existing copies of slave zone data may wind up with
  extraneous copies of zone data stored, as the existing
  text-format zone file copies will be moved aside to filenames
  of the format db-###### and journal files to the format
  jn-######  (where # represents a hexadecimal digit.)
- many many bugfixes. Please read changelog for details
- fixed handling of TXT records in ldapdump
  (bnc#743758)
- 9.9.0

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- on a 64bit system a chrooted bind failed to start if 32bit
  libs were installed (bnc#716745)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

add libtool as buildrequires so we no longer rely on libtool in the project config of factory - it's only needed by <10% of all packages (forwarded request 85954 from coolo)

• Files Changed
• Browse Source

- very first restart can create broken chroot
  (bnc#718441)

• Files Changed
• Browse Source

* fixed SSL in chroot environment (bnc#715881)

* Added a new include file with function typedefs for the DLZ
  "dlopen" driver. [RT #23629]
* Added a tool able to generate malformed packets to allow testing of
  how named handles them. [RT #24096]
* The root key is now provided in the file bind.keys allowing DNSSEC
  validation to be switched on at start up by adding
  "dnssec-validation auto;" to named.conf. If the root key provided
  has expired, named will log the expiration and validation will not
  work. More information and the most current copy of bind.keys can
  be found at http://www.isc.org/bind-keys. *Please note this feature
  was actually added in 9.8.0 but was not included in the 9.8.0
  release notes. [RT #21727]
* If named is configured with a response policy zone (RPZ) and a
  query of type RRSIG is received for a name configured for RRset
  replacement in that RPZ, it will trigger an INSIST and crash the
  server. RRSIG. [RT #24280]
* named, set up to be a caching resolver, is vulnerable to a user
  querying a domain with very large resource record sets (RRSets)
  when trying to negatively cache the response. Due to an off-by-one
  error, caching the response could cause named to crash. [RT #24650]
  [CVE-2011-1910]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
  with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
  query type independant. [RT #24715]
* Using Response Policy Zone (RPZ) with DNAME records and querying
  the subdomain of that label can cause named to crash. Now logs that
  DNAME is not supported. [RT #24766]
* Change #2912 populated the message section in replies to UPDATE

• Files Changed
• Browse Source

Autobuild autoformatter for 80484

• Files Changed
• Browse Source