For details see:
https://downloads.isc.org/isc/bind9/9.11.18/RELEASE-NOTES-bind-9.11.18.html
"Security Fixes
DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding
DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]
Known Issues
We have received reports that in some circumstances, receipt of an IXFR can cause
the processing of queries to slow significantly. Some of these were related to RPZ
processing, which has been fixed in this release (see below). Others appear to occur
where there are NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated. [GL #1685]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.17/RELEASE-NOTES-bind-9.11.17.html
"Notes for BIND 9.11.17
Feature Changes
The configure option --with-libxml2 now uses pkg-config to detect
libxml2 library availability. You will either have to install pkg-config
or specify the exact path where libxml2 has been installed on your
system. [GL #1635]
Bug Fixes
Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.11/RELEASE-NOTES-bind-9.11.11.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
...
Bug Fixes
Glue address records were not being returned in responses to root priming
queries; this has been corrected. [GL #1092]
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero.
[GL #1159]
named-checkconf could crash during configuration if configured to use "geoip
continent" ACLs with legacy GeoIP. [GL #1163]
named-checkconf now correctly reports missing dnstap-output option when dnstap
is set. [GL #1136]
Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Hi,
To save space linking the 'bind 9.11.5'-binaries was changed from statically to dynamically.
Changes to V2:
Removed unnecessary '*.so'-links.
Complete file sizes shrinked from ~4800K to ~1700K. Needs testing and confirmation!
I'm running this version right now under Core 124 - no seen problems so far.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html
Security fixes:
"named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
When recursion is enabled but the allow-recursion and allow-query-cache ACLs are
not specified, they should be limited to local networks, but they were
inadvertently set to match the default allow-query, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.1/RELEASE-NOTES-bind-9.11.1.html
"Security Fixes
rndc "" could trigger an assertion failure in named. This flaw is disclosed
in (CVE-2017-3138). [RT #44924]
Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could
trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]
dns64 with break-dnssec yes; can result in an assertion failure. This flaw is
disclosed in CVE-2017-3136. [RT #44653]
If a server is configured with a response policy zone (RPZ) that rewrites an
answer with local data, and is also configured for DNS64 address mapping, a NULL
pointer can be read triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion failure
if the redirection namespace was served from a local authoritative data source such
as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in
CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an
assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned without
the requested data, resulting in an assertion failure. This flaw is disclosed in
CVE-2016-9147. [RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion failure
when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing responses containing answers of
type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]
Added the ability to specify the maximum number of records permitted in a zone
(max-records #;). This provides a mechanism to block overly large zone transfers, which
is a potential risk with slave zones from other parties, as described in CVE-2016-6170.
[RT #42143]
Bug Fixes
A synthesized CNAME record appearing in a response before the associated DNAME could be
cached, when it should not have been. This was a regression introduced while addressing
CVE-2016-8864. [RT #44318]
named could deadlock if multiple changes to NSEC/NSEC3 parameters for the same zone were
being processed at the same time. [RT #42770]
named could trigger an assertion when sending NOTIFY messages. [RT #44019]
Referencing a nonexistent zone in a response-policy statement could cause an assertion
failure during configuration. [RT #43787]
rndc addzone could cause a crash when attempting to add a zone with a type other than
master or slave. Such zones are now rejected. [RT #43665]
named could hang when encountering log file names with large apparent gaps in version
number (for example, when files exist called "logfile.0", "logfile.1", and
"logfile.1482954169"). This is now handled correctly. [RT #38688]
If a zone was updated while named was processing a query for nonexistent data, it could
return out-of-sync NSEC3 records causing potential DNSSEC validation failure. [RT #43247]"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html
"BIND 9.11.0-P5 addresses the security issues described in CVE-2017-3136,
CVE-2017-3137, and CVE-2017-3138, and updates the built-in trusted keys for the root zone.
Security Fixes
rndc "" could trigger an assertion failure in named. This flaw is disclosed in
(CVE-2017-3138). [RT #44924]
Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could
trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]
dns64 with break-dnssec yes; can result in an assertion failure. This flaw is
disclosed in CVE-2017-3136. [RT #44653]
If a server is configured with a response policy zone (RPZ) that rewrites an
answer with local data, and is also configured for DNS64 address mapping, a NULL
pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135.
[RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion failure if
the redirection namespace was served from a local authoritative data source such as a
local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in
CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an assertion
failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned without the
requested data, resulting in an assertion failure. This flaw is disclosed in
CVE-2016-9147. [RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion failure
when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing responses containing answers of
type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]
Bug Fixes
A synthesized CNAME record appearing in a response before the associated DNAME could be
cached, when it should not have been. This was a regression introduced while addressing
CVE-2016-8864. [RT #44318]
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P3/RELEASE-NOTES-bind-9.11.0-P3.html
"BIND 9.11.0-P3 addresses the security issue described in CVE-2017-3135,
and fixes a regression introduced in a prior security release.
BIND 9.11.0-P2 addresses the security issues described in CVE-2016-9131,
CVE-2016-9147, CVE-2016-9444 and CVE-2016-9778.
BIND 9.11.0-P1 addresses the security issue described in CVE-2016-8864.
...
Security Fixes
If a server is configured with a response policy zone (RPZ) that rewrites an
answer with local data, and is also configured for DNS64 address mapping, a
NULL pointer can be read triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion
failure if the redirection namespace was served from a local authoritative
data source such as a local zone or a DLZ instead of via recursive lookup.
This flaw is disclosed in CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an
assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned
without the requested data, resulting in an assertion failure. This flaw is
disclosed in CVE-2016-9147.
[RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion
failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131.
[RT #43522]
It was possible to trigger assertions when processing responses containing answers
of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P2/RELEASE-NOTES-bind-9.11.0-P2.html
"BIND 9.11.0-P2 addresses the security issues described in CVE-2016-9131, CVE-2016-9147,
CVE-2016-9444 and CVE-2016-9778.
...
Security Fixes
A coding error in the nxdomain-redirect feature could lead to an assertion failure if the
redirection namespace was served from a local authoritative data source such as a local zone
or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT
Named could mishandle authority sections that were missing RRSIGs triggering an assertion
failure. This flaw is disclosed in CVE-2016-9444. [RT # 43632]
Named mishandled some responses where covering RRSIG records are returned without the
requested data resulting in a assertion failure. This flaw is disclosed in CVE-2016-9147.
[RT #43548]
Named incorrectly tried to cache TKEY records which could trigger a assertion failure when
there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing a response. This flaw is disclosed in
CVE-2016-8864. [RT #43465]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog (excerpt):
[security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088) [RT #41809]
[security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
[security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog (excerpt):
[bug] Fixed a regression in resolver.c:possibly_mark()
which caused known-bogus servers to be queried
anyway. [RT #41321]
[security] render_ecs errors were mishandled when printing out
a OPT record resulting in a assertion failure.
(CVE-2015-8705) [RT #41397]
[security] Specific APL data could trigger a INSIST.
(CVE-2015-8704) [RT #41396]
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog:
[security]
Update allowed OpenSSL versions as named is potentially
vulnerable to CVE-2015-3193.
[maint]
H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556]
[security]
Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
[security]
Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
bind: Update to 9.10.3
Security fixes:
An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]
On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]
Bug fixes:
Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]
A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979]
Some answer formatting options didn't work correctly with dig +short. [RT #39291]
Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285]
Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350]
The default rrset-order of random was inconsistently applied. [RT #40456]
BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427]
Several bugs have been fixed in the RPZ implementation.
For a complete list, see:
https://kb.isc.org/article/AA-01306/0/BIND-9.10.3-Release-Notes.html
Regards,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Server. Habe damit schon begonnen. Bisher aber leider nur die Pakete von
A bis B einschliesslich. Ich hoffe da macht jemand anderes weiter.
Hinzu sind die Pakete, deren Mirrors ausgefallen sind, schon umgezogen.
git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@131 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8
