From: Tinderbox User Date: Tue, 30 May 2017 22:01:40 +0000 (+0000) Subject: regen v9_9_10_patch X-Git-Tag: v9.9.10-P1~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed08dad79b89c924d3e7170835986300b38f3f86;p=thirdparty%2Fbind9.git regen v9_9_10_patch --- diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 6bb47fce185..ea08934c2d6 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -611,6 +611,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 60c36a9730f..ae4cb37813f 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -160,6 +160,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index ec5947c49e8..5984e2978c2 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -762,6 +762,6 @@ controls { -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index c3d63e86f15..954a1f2c010 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -2131,6 +2131,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 5f60edaace6..f690551ca2e 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -146,6 +146,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 99db69042e3..1ea61e0cb0d 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -13199,6 +13199,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 908e178ee63..d8f3daef0a6 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -262,6 +262,6 @@ zone "example.com" { -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index fdbce6afff4..8ca4d42a392 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -145,6 +145,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 89daee7463d..18bcbfaaf97 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -45,15 +45,12 @@

Table of Contents

-
Release Notes for BIND Version 9.9.10
+
Release Notes for BIND Version 9.9.10-P1
Introduction
Download
New DNSSEC Root Key
Security Fixes
-
Feature Changes
-
Bug Fixes
-
Maintenance
End of Life
Thank You
@@ -61,21 +58,22 @@

-Release Notes for BIND Version 9.9.10

+Release Notes for BIND Version 9.9.10-P1

Introduction

- This document summarizes significant changes since the last - production release of BIND on the corresponding major release - branch. - Please see the CHANGES file for a further list of bug fixes and - other changes. + This document summarizes changes since BIND 9.9.10: +

+

+ BIND 9.9.10-P1 addresses the security issues described in + CVE-2017-3140 and CVE-2017-3141.

+

Download

@@ -124,228 +122,17 @@

  • - rndc "" could trigger an assertion failure - in named. This flaw is disclosed in - (CVE-2017-3138). [RT #44924] -

    -
    • -
  • -

    - Some chaining (i.e., type CNAME or DNAME) responses to upstream - queries could trigger assertion failures. This flaw is disclosed - in CVE-2017-3137. [RT #44734] -

    -
    • -
  • -

    - dns64 with break-dnssec yes; - can result in an assertion failure. This flaw is disclosed in - CVE-2017-3136. [RT #44653] -

    -
    • -
  • -

    - If a server is configured with a response policy zone (RPZ) - that rewrites an answer with local data, and is also configured - for DNS64 address mapping, a NULL pointer can be read - triggering a server crash. This flaw is disclosed in - CVE-2017-3135. [RT #44434] -

    -
    • -
  • -

    - named could mishandle authority sections - with missing RRSIGs, triggering an assertion failure. This - flaw is disclosed in CVE-2016-9444. [RT #43632] -

    -
    • -
  • -

    - named mishandled some responses where - covering RRSIG records were returned without the requested - data, resulting in an assertion failure. This flaw is - disclosed in CVE-2016-9147. [RT #43548] -

    -
    • -
  • -

    - named incorrectly tried to cache TKEY - records which could trigger an assertion failure when there was - a class mismatch. This flaw is disclosed in CVE-2016-9131. - [RT #43522] -

    -
    • -
  • -

    - It was possible to trigger assertions when processing - responses containing answers of type DNAME. This flaw is - disclosed in CVE-2016-8864. [RT #43465] -

    -
    • -
  • -

    - Added the ability to specify the maximum number of records - permitted in a zone (max-records #;). - This provides a mechanism to block overly large zone - transfers, which is a potential risk with slave zones from - other parties, as described in CVE-2016-6170. - [RT #42143] -

    -
    • -
  • -

    - It was possible to trigger an assertion when rendering a - message using a specially crafted request. This flaw is - disclosed in CVE-2016-2776. [RT #43139] -

    -
    • -
  • -

    - Calling getrrsetbyname() with a non- - absolute name could trigger an infinite recursion bug in - lwresd or named with - lwres configured if, when combined with - a search list entry from resolv.conf, - the resulting name is too long. This flaw is disclosed in - CVE-2016-2775. [RT #42694] -

    -
    • -
-
- -
-

-Feature Changes

-
    -
  • -

    - The ISC DNSSEC Lookaside Validation (DLV) service is scheduled - to be disabled in 2017. A warning is now logged when - named is configured to use this service, - either explicitly or via dnssec-lookaside auto;. - [RT #42207] -

    -
    • -
  • -

    - If an ACL is specified with an address prefix in which the - prefix length is longer than the address portion (for example, - 192.0.2.1/8), named will now log a warning. - In future releases this will be a fatal configuration error. - [RT #43367] -

    -
    • -
-
- -
-

-Bug Fixes

-
    -
  • -

    - A synthesized CNAME record appearing in a response before the - associated DNAME could be cached, when it should not have been. - This was a regression introduced while addressing CVE-2016-8864. - [RT #44318] -

    -
    • -
  • -

    - named could deadlock if multiple changes - to NSEC/NSEC3 parameters for the same zone were being processed - at the same time. [RT #42770] -

    -
    • -
  • -

    - named could trigger an assertion when - sending NOTIFY messages. [RT #44019] -

    -
    • -
  • -

    - Windows installs were failing due to triggering UAC without - the installation binary being signed. -

    -
    • -
  • -

    - A change in the internal binary representation of the RBT database - node structure enabled a race condition to occur (especially when - BIND was built with certain compilers or optimizer settings), - leading to inconsistent database state which caused random - assertion failures. [RT #42380] -

    -
    • -
  • -

    - Referencing a nonexistent zone in a response-policy - statement could cause an assertion failure during configuration. - [RT #43787] -

    -
    • -
  • -

    - rndc addzone could cause a crash - when attempting to add a zone with a type other than - master or slave. - Such zones are now rejected. [RT #43665] + The BIND installer on Windows used an unquoted service path, + which can enable privilege escalation. This flaw is disclosed + in CVE-2017-3141. [RT #45229]

  • - named could hang when encountering log - file names with large apparent gaps in version number (for - example, when files exist called "logfile.0", "logfile.1", - and "logfile.1482954169"). This is now handled correctly. - [RT #38688] -

    -
    • -
  • -

    - If a zone was updated while named was - processing a query for nonexistent data, it could return - out-of-sync NSEC3 records causing potential DNSSEC validation - failure. [RT #43247] -

    -
    • -
  • -

    - named could crash when loading a zone - which had RRISG records whose expiry fields were far enough - apart to cause an integer overflow when comparing them. - [RT #40571] -

    -
    • -
  • -

    - The arpaname command was not installed into - the correct prefix/bin - directory. [RT #42910] -

    -
    • -
  • -

    - When receiving a response from an authoritative server with - a TTL value of zero, named> will now only use - that response once, to answer the currently active clients that - were waiting for it. Previously, such response could be cached - and reused for up to one second. [RT #42142] -

    -
    • -
  • -

    - Corrected a bug in the rndc control channel - that could allow a read past the end of a buffer, crashing - named. Thanks to Lian Yihan for reporting - this error. -

    -
    • -
  • -

    - Reverted a change to the query logging format that was - inadvertently backported from the 9.11 branch. [RT #43238] + With certain RPZ configurations, a response with TTL 0 + could cause named to go into an infinite + query loop. This flaw is disclosed in CVE-2017-3140. + [RT #45181]

@@ -353,19 +140,6 @@

-Maintenance

-
  • -

    - The built-in root hints have been updated to include - IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b), - E.ROOT-SERVERS.NET (2001:500:a8::e) and - G.ROOT-SERVERS.NET (2001:500:12::d0d). -

    -
-
- -
-

End of Life

BIND 9.9 (Extended Support Version) will be supported until @@ -404,6 +178,6 @@

-

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index c681860a079..8905dd311ba 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -157,6 +157,6 @@
-

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 0c06287d568..9f97413bb22 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -923,6 +923,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index c3a56c04951..386b4c76662 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -580,6 +580,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html index 77a01cfcc5b..4c496c56aae 100644 --- a/doc/arm/Bv9ARM.ch13.html +++ b/doc/arm/Bv9ARM.ch13.html @@ -176,6 +176,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 1515614e711..6acfc723edf 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -41,7 +41,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.9.10

+

BIND Version 9.9.10-P1

Copyright © 2004-2016 Internet Systems Consortium, Inc. ("ISC")

Copyright © 2000-2003 Internet Software Consortium.

@@ -234,15 +234,12 @@
A. Release Notes
-
Release Notes for BIND Version 9.9.10
+
Release Notes for BIND Version 9.9.10-P1
Introduction
Download
New DNSSEC Root Key
Security Fixes
-
Feature Changes
-
Bug Fixes
-
Maintenance
End of Life
Thank You
@@ -401,6 +398,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index f560d759f8b..e2cc68c8080 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -100,6 +100,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 07a5116baf3..4d19494e4b0 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -224,6 +224,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 3256dd31106..711082d5893 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -950,6 +950,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 04f5bc010e5..3278cf10937 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -160,6 +160,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index c4285f6ee34..b4095f107a5 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -250,6 +250,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index e63aabd7a8f..3be5c31b960 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -298,6 +298,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 0482aad0688..54585251dbe 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -241,6 +241,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index d1c45bc8578..fcfb13760b1 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -454,6 +454,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 4383f0a41da..0b1493b2b01 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -567,6 +567,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 2d2a92482a2..17d9821ff61 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -172,6 +172,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 466cb1d65ad..c795972505a 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -330,6 +330,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 69b72dabec5..596c1e52870 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -684,6 +684,6 @@ db.example.com.signed -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 372dc34bd78..e6ceba69e1c 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -197,6 +197,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 79b8c84c57b..d18e2b2257e 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -136,6 +136,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 23709514efb..4fe6037d567 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -363,6 +363,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index e0e8b53005c..d08db18b4f8 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -135,6 +135,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html index 87ea0ffc311..c57dd4b95d3 100644 --- a/doc/arm/man.lwresd.html +++ b/doc/arm/man.lwresd.html @@ -336,6 +336,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index c4695ee37d9..caae3473703 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -201,6 +201,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 1b48ed8b1f4..cab1bf4ebe7 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -447,6 +447,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index f8d8f738405..c4ac6ef374d 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -126,6 +126,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 99a48478ff5..e0cc5b26f19 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -731,6 +731,6 @@ zone -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 322ff476d91..3ec85d0d0aa 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -457,6 +457,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index c9e2e891c3c..557a98794af 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -136,6 +136,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index bc2373a3113..ac058a28ffc 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -774,6 +774,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index a9457390a95..09c207fbc0d 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -275,6 +275,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index e2df8025075..c0d1ce81f51 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -276,6 +276,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 1b9152971e5..622bed567df 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -676,6 +676,6 @@ -

BIND 9.9.10 (Extended Support Version)

+

BIND 9.9.10-P1 (Extended Support Version)

diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 5e0ef9dc989..0430d159ca8 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -23,21 +23,22 @@

-Release Notes for BIND Version 9.9.10

+Release Notes for BIND Version 9.9.10-P1

Introduction

- This document summarizes significant changes since the last - production release of BIND on the corresponding major release - branch. - Please see the CHANGES file for a further list of bug fixes and - other changes. + This document summarizes changes since BIND 9.9.10: +

+

+ BIND 9.9.10-P1 addresses the security issues described in + CVE-2017-3140 and CVE-2017-3141.

+

Download

@@ -86,228 +87,17 @@

  • - rndc "" could trigger an assertion failure - in named. This flaw is disclosed in - (CVE-2017-3138). [RT #44924] -

    -
    • -
  • -

    - Some chaining (i.e., type CNAME or DNAME) responses to upstream - queries could trigger assertion failures. This flaw is disclosed - in CVE-2017-3137. [RT #44734] -

    -
    • -
  • -

    - dns64 with break-dnssec yes; - can result in an assertion failure. This flaw is disclosed in - CVE-2017-3136. [RT #44653] -

    -
    • -
  • -

    - If a server is configured with a response policy zone (RPZ) - that rewrites an answer with local data, and is also configured - for DNS64 address mapping, a NULL pointer can be read - triggering a server crash. This flaw is disclosed in - CVE-2017-3135. [RT #44434] -

    -
    • -
  • -

    - named could mishandle authority sections - with missing RRSIGs, triggering an assertion failure. This - flaw is disclosed in CVE-2016-9444. [RT #43632] -

    -
    • -
  • -

    - named mishandled some responses where - covering RRSIG records were returned without the requested - data, resulting in an assertion failure. This flaw is - disclosed in CVE-2016-9147. [RT #43548] -

    -
    • -
  • -

    - named incorrectly tried to cache TKEY - records which could trigger an assertion failure when there was - a class mismatch. This flaw is disclosed in CVE-2016-9131. - [RT #43522] -

    -
    • -
  • -

    - It was possible to trigger assertions when processing - responses containing answers of type DNAME. This flaw is - disclosed in CVE-2016-8864. [RT #43465] -

    -
    • -
  • -

    - Added the ability to specify the maximum number of records - permitted in a zone (max-records #;). - This provides a mechanism to block overly large zone - transfers, which is a potential risk with slave zones from - other parties, as described in CVE-2016-6170. - [RT #42143] -

    -
    • -
  • -

    - It was possible to trigger an assertion when rendering a - message using a specially crafted request. This flaw is - disclosed in CVE-2016-2776. [RT #43139] -

    -
    • -
  • -

    - Calling getrrsetbyname() with a non- - absolute name could trigger an infinite recursion bug in - lwresd or named with - lwres configured if, when combined with - a search list entry from resolv.conf, - the resulting name is too long. This flaw is disclosed in - CVE-2016-2775. [RT #42694] -

    -
    • -
-
- -
-

-Feature Changes

-
    -
  • -

    - The ISC DNSSEC Lookaside Validation (DLV) service is scheduled - to be disabled in 2017. A warning is now logged when - named is configured to use this service, - either explicitly or via dnssec-lookaside auto;. - [RT #42207] -

    -
    • -
  • -

    - If an ACL is specified with an address prefix in which the - prefix length is longer than the address portion (for example, - 192.0.2.1/8), named will now log a warning. - In future releases this will be a fatal configuration error. - [RT #43367] -

    -
    • -
-
- -
-

-Bug Fixes

-
    -
  • -

    - A synthesized CNAME record appearing in a response before the - associated DNAME could be cached, when it should not have been. - This was a regression introduced while addressing CVE-2016-8864. - [RT #44318] -

    -
    • -
  • -

    - named could deadlock if multiple changes - to NSEC/NSEC3 parameters for the same zone were being processed - at the same time. [RT #42770] -

    -
    • -
  • -

    - named could trigger an assertion when - sending NOTIFY messages. [RT #44019] -

    -
    • -
  • -

    - Windows installs were failing due to triggering UAC without - the installation binary being signed. -

    -
    • -
  • -

    - A change in the internal binary representation of the RBT database - node structure enabled a race condition to occur (especially when - BIND was built with certain compilers or optimizer settings), - leading to inconsistent database state which caused random - assertion failures. [RT #42380] -

    -
    • -
  • -

    - Referencing a nonexistent zone in a response-policy - statement could cause an assertion failure during configuration. - [RT #43787] -

    -
    • -
  • -

    - rndc addzone could cause a crash - when attempting to add a zone with a type other than - master or slave. - Such zones are now rejected. [RT #43665] + The BIND installer on Windows used an unquoted service path, + which can enable privilege escalation. This flaw is disclosed + in CVE-2017-3141. [RT #45229]

  • - named could hang when encountering log - file names with large apparent gaps in version number (for - example, when files exist called "logfile.0", "logfile.1", - and "logfile.1482954169"). This is now handled correctly. - [RT #38688] -

    -
    • -
  • -

    - If a zone was updated while named was - processing a query for nonexistent data, it could return - out-of-sync NSEC3 records causing potential DNSSEC validation - failure. [RT #43247] -

    -
    • -
  • -

    - named could crash when loading a zone - which had RRISG records whose expiry fields were far enough - apart to cause an integer overflow when comparing them. - [RT #40571] -

    -
    • -
  • -

    - The arpaname command was not installed into - the correct prefix/bin - directory. [RT #42910] -

    -
    • -
  • -

    - When receiving a response from an authoritative server with - a TTL value of zero, named> will now only use - that response once, to answer the currently active clients that - were waiting for it. Previously, such response could be cached - and reused for up to one second. [RT #42142] -

    -
    • -
  • -

    - Corrected a bug in the rndc control channel - that could allow a read past the end of a buffer, crashing - named. Thanks to Lian Yihan for reporting - this error. -

    -
    • -
  • -

    - Reverted a change to the query logging format that was - inadvertently backported from the 9.11 branch. [RT #43238] + With certain RPZ configurations, a response with TTL 0 + could cause named to go into an infinite + query loop. This flaw is disclosed in CVE-2017-3140. + [RT #45181]

@@ -315,19 +105,6 @@

-Maintenance

-
  • -

    - The built-in root hints have been updated to include - IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b), - E.ROOT-SERVERS.NET (2001:500:a8::e) and - G.ROOT-SERVERS.NET (2001:500:12::d0d). -

    -
-
- -
-

End of Life

BIND 9.9 (Extended Support Version) will be supported until