Revisions of bind
Stephan Kulow (coolo)
accepted
request 161413
from
Marcus Meissner (msmeissn)
(revision 88)
- Updated to 9.9.2-P2 (bnc#811876) Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266 * Security Fixes Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] - added gpg key source verification
Adrian Schröter (adrianSuSE)
committed
(revision 87)
Split 12.3 from Factory
Ismail Dönmez (namtrac)
accepted
request 144433
from
Marcus Meissner (msmeissn)
(revision 86)
- Updated to 9.9.2-P1 (bnc#792926) https://kb.isc.org/article/AA-00828 * Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python;
Stephan Kulow (coolo)
accepted
request 141805
from
Marcus Meissner (msmeissn)
(revision 85)
- added a ratelimiting (draft RFC) patch from Paul Vixie. see http://www.redbarn.org/dns/ratelimits suggested by Stefan Schaefer <stefan@invis-server.org>
Stephan Kulow (coolo)
accepted
request 141386
from
Marcus Meissner (msmeissn)
(revision 84)
- updated to 9.9.2 https://kb.isc.org/article/AA-00798 Security: * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * Adds configuration option "max-rsa-exponent-size <value>;" that can
Ismail Dönmez (namtrac)
accepted
request 138821
from
Marcus Meissner (msmeissn)
(revision 83)
- Specially crafted DNS data can cause a lockup in named. CVE-2012-5166, bnc#784602. - 9.9.1-P4
Stephan Kulow (coolo)
accepted
request 134434
from
Marcus Meissner (msmeissn)
(revision 82)
- Named could die on specially crafted record. [RT #30416] (bnc#780157) CVE-2012-4244 - 9.9.1-P3 - updated dnszone-schema.txt from upstream.
Stephan Kulow (coolo)
accepted
request 128983
from
Uwe Gansert (ug)
(revision 81)
- Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [RT #30025] (bnc#772945) - ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [RT #29539 & #30233] - Under heavy incoming TCP query loads named could experience a memory leak which could lead to significant reductions in query response or cause the server to be terminated on systems with "out of memory" killers. [RT #29539] (bnc#772946) - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] - 9.9.1-P2 - license update: ISC ISC is generally seen as the correct license for bind
Adrian Schröter (adrianSuSE)
committed
(revision 80)
branched from openSUSE:Factory
Stephan Kulow (coolo)
accepted
request 123696
from
Uwe Gansert (ug)
(revision 79)
- updated dnszone-schema.txt - VUL-0: bind remote DoS via zero length rdata field CVE-2012-1667 bnc#765315 - 9.9.1-P1
Stephan Kulow (coolo)
accepted
request 121732
from
Uwe Gansert (ug)
(revision 78)
- this version has no new features but only bugfixes - Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig - Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone - Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe - SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. - Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending - Corrects a parser bug that could cause named to crash while reading a malformed zone file - many more smaller fixes - version 9.9.1
Stephan Kulow (coolo)
accepted
request 120594
from
Uwe Gansert (ug)
(revision 77)
- added patch to fix an assertion failure
Stephan Kulow (coolo)
accepted
request 116455
from
Uwe Gansert (ug)
(revision 76)
- many dnssec fixes and features (too many to list them here, check the changelog) - improved startup time - improved scalability - Added support for Uniform Resource Identifier (URI) resource records - Local copies of slave zones are now saved in raw format by default to improve startup performance BIND 9.9 changes the default storage format for slave zone files from text to raw. Because named's behavior when a slave server cannot read or parse a zone file is to move the offending file out of the way and retransfer the zone, slave servers that are updated from a pre-9.9.0 version of BIND and which have existing copies of slave zone data may wind up with extraneous copies of zone data stored, as the existing text-format zone file copies will be moved aside to filenames of the format db-###### and journal files to the format jn-###### (where # represents a hexadecimal digit.) - many many bugfixes. Please read changelog for details - fixed handling of TXT records in ldapdump (bnc#743758) - 9.9.0
Stephan Kulow (coolo)
accepted
request 106242
from
Factory Maintainer (factory-maintainer)
(revision 75)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 89350
from
Uwe Gansert (ug)
(revision 74)
- on a 64bit system a chrooted bind failed to start if 32bit libs were installed (bnc#716745)
Adrian Schröter (adrianSuSE)
committed
(revision 73)
Ruediger Oertel (oertel)
accepted
request 86242
from
Pavol Rusnak (prusnak)
(revision 72)
add libtool as buildrequires so we no longer rely on libtool in the project config of factory - it's only needed by <10% of all packages (forwarded request 85954 from coolo)
Lars Vogdt (lrupp)
accepted
request 82468
from
Uwe Gansert (ug)
(revision 71)
- very first restart can create broken chroot (bnc#718441)
Lars Vogdt (lrupp)
accepted
request 80897
from
Uwe Gansert (ug)
(revision 70)
* fixed SSL in chroot environment (bnc#715881) * Added a new include file with function typedefs for the DLZ "dlopen" driver. [RT #23629] * Added a tool able to generate malformed packets to allow testing of how named handles them. [RT #24096] * The root key is now provided in the file bind.keys allowing DNSSEC validation to be switched on at start up by adding "dnssec-validation auto;" to named.conf. If the root key provided has expired, named will log the expiration and validation will not work. More information and the most current copy of bind.keys can be found at http://www.isc.org/bind-keys. *Please note this feature was actually added in 9.8.0 but was not included in the 9.8.0 release notes. [RT #21727] * If named is configured with a response policy zone (RPZ) and a query of type RRSIG is received for a name configured for RRset replacement in that RPZ, it will trigger an INSIST and crash the server. RRSIG. [RT #24280] * named, set up to be a caching resolver, is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache the response. Due to an off-by-one error, caching the response could cause named to crash. [RT #24650] [CVE-2011-1910] * Using Response Policy Zone (RPZ) to query a wildcard CNAME label with QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type independant. [RT #24715] * Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label can cause named to crash. Now logs that DNAME is not supported. [RT #24766] * Change #2912 populated the message section in replies to UPDATE
Sascha Peilicke (saschpe)
committed
(revision 69)
Autobuild autoformatter for 80484
Displaying revisions 121 - 140 of 208