d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cefb678553
freebsd-skq/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt
Doug Barton c3c441cd46 Update to version 9.6-ESV-R3, the latest from ISC, which addresses 
the following security vulnerabilities.

For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

1. Cache incorrectly allows ncache and rrsig for the same type

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

   Affects resolver operators whose servers are open to potential
   attackers. Triggering the bug will cause the server to crash.

   This bug applies even if you do not have DNSSEC enabled.

2. Key algorithm rollover

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614

   Affects resolver operators who are validating with DNSSEC, and
   querying zones which are in a key rollover period. The bug will
   cause answers to incorrectly be marked as insecure.
2010-12-04 05:58:56 +00:00

134 lines
5.2 KiB
Plaintext
Raw Blame History

__________________________________________________________________
Introduction
BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV.
This document summarizes changes from BIND 9.6-ESV-R1 to BIND
9.6-ESV-R3. Please see the CHANGES file in the source code release for
a complete list of all changes.
Download
The latest release of BIND 9 software can always be found on our web
site at http://www.isc.org/software/bind. There you will find
additional information about each release, source code, and some
pre-compiled versions for certain operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
New Features
9.6-ESV-R2
None.
9.6-ESV-R3
None.
Feature Changes
9.6-ESV-R2
None.
9.6-ESV-R3
None.
Security Fixes
9.6-ESV-R2
None.
9.6-ESV-R3
* Adding a NO DATA signed negative response to cache failed to clear
any matching RRSIG records already in cache. A subsequent lookup of
the cached NO DATA entry could crash named (INSIST) when the
unexpected RRSIG was also returned with the NO DATA cache entry.
[RT #22288] [CVE-2010-3613] [VU#706148]
* BIND, acting as a DNSSEC validator, was determining if the NS RRset
is insecure based on a value that could mean either that the RRset
is actually insecure or that there wasn't a matching key for the
RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
RRset. This can happen when in the middle of a DNSKEY algorithm
rollover, when two different algorithms were used to sign a zone
but only the new set of keys are in the zone DNSKEY RRset. [RT
#22309] [CVE-2010-3614] [VU#837744]
Bug Fixes
9.6-ESV-R2
* Check that named successfully skips NSEC3 records that fail to
match the NSEC3PARAM record currently in use. [RT #21868]
* Worked around a race condition in the cache database memory
handling. Without this fix a DNS cache DB or ADB could incorrectly
stay in an over memory state, effectively refusing further caching,
which subsequently made a BIND 9 caching server unworkable. [RT
#21818]
* BIND did not properly handle non-cacheable negative responses from
insecure zones. This caused several non-protocol-compliant zones to
become unresolvable. BIND is now more accepting of responses it
receives from less strict servers. [RT #21555]
* The resolver could attempt to destroy a fetch context too soon,
resulting in a crash. [RT #19878]
* The placeholder negative caching element was not properly
constructed triggering a crash (INSIST) in dns_ncache_towire(). [RT
#21346]
* Handle the introduction of new trusted-keys and DS, DLV RRsets
better. [RT #21097]
* Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877]
9.6-ESV-R3
* Microsoft changed the behavior of sockets between NT/XP based
stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
behavior, 2008r2 has the new behavior. With the change, different
error results are possible, so ISC adapted BIND to handle the new
error results. This resolves an issue where sockets would shut down
on Windows servers causing named to stop responding to queries. [RT
#21906]
* Windows has non-POSIX compliant behavior in its rename() and
unlink() calls. This caused journal compaction to fail on Windows
BIND servers with the log error: "dns_journal_compact failed:
failure". [RT #22434]
* 'host -D' now turns on debugging messages earlier. [RT #22361]
* isc_print_vsnprintf() failed to check if there was space available
in the buffer when adding a left justified character with a non
zero width, (e.g. "%-1c"). [RT #22270]
* view->queryacl was being overloaded. Seperate the usage into
view->queryacl, view->cacheacl and view->queryonacl. [RT #22114]
* win32: add more dependencies to BINDBuild.dsw. [RT #22062]
* win32: named-checkzone and named-checkconf failed to initialise
winsock. [RT #21932]
* named failed to generate a correct signed response in a optout,
delegation only zone with no secure delegations. [RT #22007]
Known issues in this release
* "make test" will fail on OSX and possibly other operating systems.
The failure occurs in a new test to check for allow-query ACLs. The
failure is caused because the source address is not specified on
the dig commands issued in the test.
If running "make test" is part of your usual acceptance process,
please edit the file bin/tests/system/allow_query/test.sh and add
-b 10.53.0.2
to the DIGOPTS line.
Thank You
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
http://www.isc.org/supportisc.
Reference in New Issue View Git Blame Copy Permalink