mbox

bind: Update to 9.10.3

Message ID	1446878037-1121-1-git-send-email-matthias.fischer@ipfire.org
State	Accepted
Commit	c15da8c3b5f94d3ced94166eefb9392b86dc9d80
Headers	From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] bind: Update to 9.10.3 Date: Sat, 7 Nov 2015 07:33:57 +0100 Message-Id: <1446878037-1121-1-git-send-email-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>

Message

Matthias Fischer Nov. 7, 2015, 5:33 p.m. UTC

  bind: Update to 9.10.3

Security fixes:
An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]

A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]

A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]

On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]

Bug fixes:
Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]

A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979]

Some answer formatting options didn't work correctly with dig +short. [RT #39291]

Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285]

Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350]

The default rrset-order of random was inconsistently applied. [RT #40456]

BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427]

Several bugs have been fixed in the RPZ implementation.

For a complete list, see:
https://kb.isc.org/article/AA-01306/0/BIND-9.10.3-Release-Notes.html

Regards,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 lfs/bind | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Michael Tremer Nov. 8, 2015, 12:30 a.m. UTC | #1

Oh dear.

Most of these issues are in the server, which is not used in IPFire,
but I decided to pull this for Core Update 95.

-Michael

On Sat, 2015-11-07 at 07:33 +0100, Matthias Fischer wrote:
> bind: Update to 9.10.3
> 
> Security fixes:
> An incorrect boundary check in the OPENPGPKEY rdatatype could trigger
> an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT
> #40286]
> 
> A buffer accounting error could trigger an assertion failure when
> parsing certain malformed DNSSEC keys.
> This flaw was discovered by Hanno Böck of the Fuzzing Project, and is
> disclosed in CVE-2015-5722. [RT #40212]
> 
> A specially crafted query could trigger an assertion failure in
> message.c.
> This flaw was discovered by Jonathan Foote, and is disclosed in CVE
> -2015-5477. [RT #40046]
> 
> On servers configured to perform DNSSEC validation, an assertion
> failure could be triggered on answers from a specially configured
> server.
> This flaw was discovered by Breno Silveira Soares, and is disclosed
> in CVE-2015-4620. [RT #39795]
> 
> Bug fixes:
> Asynchronous zone loads were not handled correctly when the zone load
> was already in progress; this could trigger a crash in zt.c. [RT
> #37573]
> 
> A race during shutdown or reconfiguration could cause an assertion
> failure in mem.c. [RT #38979]
> 
> Some answer formatting options didn't work correctly with dig +short.
> [RT #39291]
> 
> Malformed records of some types, including NSAP and UNSPEC, could
> trigger assertion failures when loading text zone files. [RT #40274]
> [RT #40285]
> 
> Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
> being removed from the wrong rate limiter queue. [RT #40350]
> 
> The default rrset-order of random was inconsistently applied. [RT
> #40456]
> 
> BADVERS responses from broken authoritative name servers were not
> handled correctly. [RT #40427]
> 
> Several bugs have been fixed in the RPZ implementation.
> 
> For a complete list, see:
> https://kb.isc.org/article/AA-01306/0/BIND-9.10.3-Release-Notes.html
> 
> Regards,
> Matthias
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
>  lfs/bind | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lfs/bind b/lfs/bind
> index 0814cde..6480798 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
>  
>  include Config
>  
> -VER        = 9.10.2-P4
> +VER        = 9.10.3
>  
>  THISAPP    = bind-$(VER)
>  DL_FILE    = $(THISAPP).tar.gz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 8b1f5064837756c938eadc1537dec5c7
> +$(DL_FILE)_MD5 = d8cbf04a62a139a841d4bf878087a555
>  
>  install : $(TARGET)
>