Commit Graph

15 Commits

Author SHA1 Message Date
Doug Barton
56a78b5211 Vendor import of 9.4.1-P1, which has fixes for the following:
1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925

2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.

All users are encouraged to upgrade.

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926

Approved by:	re (kensmith, implicit)
2007-07-25 08:12:36 +00:00
Doug Barton
c197e4d678 Add a custom atomic.h file which implements the C versions of the
code we already have assembly versions of.

Written by:	imp
2007-06-05 22:15:38 +00:00
Doug Barton
141cfa5029 Vendor import of BIND 9.4.1 2007-06-02 23:21:47 +00:00
Doug Barton
fa5fb0343e Vendor import of BIND 9.3.4 2007-01-29 18:31:57 +00:00
Doug Barton
fcb35ad9ef Remove from the vendor branch files that are no longer in the
9.3.3 sources.
2006-12-10 07:12:50 +00:00
Doug Barton
e99fbbb680 Vendor import of BIND 9.3.3 2006-12-10 07:09:56 +00:00
Doug Barton
a02f92e875 Update to version 9.3.2-P2, which addresses the vulnerability
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list on 2 November):

Description:
        Because of OpenSSL's recently announced vulnerabilities
        (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
        we are announcing this workaround and releasing patches.  A proof of
        concept attack on OpenSSL has been demonstrated for CAN-2006-4339.

        OpenSSL is required to use DNSSEC with BIND.

Fix for version 9.3.2-P1 and lower:
        Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and
        RSAMD5 keys for all old keys using the old default exponent
        and perform a key rollover to these new keys.

        These versions also change the default RSA exponent to be
        65537 which is not vulnerable to the attacks described in
        CAN-2006-4339.
2006-11-04 07:53:25 +00:00
Doug Barton
42b74b2549 Vendor import of BIND 9.3.2-P1, which addresses the following security
vulnerabilities:

http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en
2066.  [security]      Handle SIG queries gracefully. [RT #16300]

http://www.kb.cert.org/vuls/id/697164
1941.  [bug]           ncache_adderesult() should set eresult even if no
                       rdataset is passed to it. [RT #15642]

All users of BIND 9 are encouraged to upgrade to this version.
2006-09-06 21:27:11 +00:00
Doug Barton
b824835191 After some discussion with the folks at ISC, it turns out that the _ai_pad
part of the structure was a hack to maintain binary compatibility with
Sun binaries, and my understanding is that it's not needed generally
on sparc systems running other operating systems. Therefore, hide this
code behind the same set of tests as in lib/bind/include/netdb.h.

This file is being imported on the vendor branch because a similar change
(or change with similar effect) will be in the next version of BIND 9.

This change will not affect other platforms in any way.
2006-01-04 19:18:43 +00:00
Doug Barton
a00aca3467 Vendor import of BIND 9.3.2 2005-12-29 04:22:58 +00:00
Doug Barton
adaaaab975 Update the vendor branch with a patch to this file that was
researched by glebius, and incorporated by ISC into the next
version of BIND. Unfortunately, it looks like their release
will come after the release of FreeBSD 6, so we will bring
this in now.

The patch addresses a problem with high-load resolvers which
hit memory barriers. Without this patch, running the resolving
name server out of memory would lead to "unpredictable results."

Of course, the canonical answer to this problem is to put more
memory into the system, however that is not always possible, and
the code should be able to handle this situation gracefully in
any case.
2005-08-18 18:39:31 +00:00
Doug Barton
94b2911216 Remove files from the vendor branch that were [re]moved in 9.3.1 2005-03-17 08:10:34 +00:00
Doug Barton
6bc6438a36 Vendor import of BIND 9.3.1 2005-03-17 08:04:02 +00:00
Tom Rhodes
64aa1955c5 Vendor import of BIND 9.3.0rc4.
These three files were missed in the original import because their names
contained the magic letters w, i and n in that sequence.
2004-09-19 18:34:53 +00:00
Tom Rhodes
b1e4bd53e0 Vender import of BIND 9.3.0rc4. 2004-09-19 01:30:24 +00:00