4509. [test] Make the rrl system test more reliable on slower
machines by using mdig instead of dig. [RT #43280]
+4508. [security] Named incorrectly tried to cache TKEY records which
+ could trigger a assertion failure when there was
+ a class mismatch. (CVE-2016-9131) [RT #43522]
+
4507. [bug] Named could incorrectly log 'allows updates by IP
address, which is insecure' [RT #43432]
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
+BIND 9.10.5
+
+ BIND 9.10.5 is a maintenance release and addresses the security
+ flaws disclosed in CVE-2016-6170, CVE-2016-8864 and CVE-2016-9131.
+
BIND 9.10.4
BIND 9.10.4 is a maintenance release and addresses bugs
prefix.
</para>
</listitem>
+ <listitem>
+ <para>
+ Named incorrectly tried to cache TKEY records which could
+ trigger a assertion failure when there was a class mismatch.
+ This flaw is disclosed in CVE-2016-9131. [RT #43522]
+ </para>
+ </listitem>
</itemizedlist>
</section>
log_formerr(fctx, "NSEC3 in answer");
return (DNS_R_FORMERR);
}
+ if (rdataset->type == dns_rdatatype_tkey) {
+ /*
+ * TKEY is not a valid record in a
+ * response to any query we can make.
+ */
+ log_formerr(fctx, "TKEY in answer");
+ return (DNS_R_FORMERR);
+ }
+ if (rdataset->rdclass != fctx->res->rdclass) {
+ log_formerr(fctx, "Mismatched class "
+ "in answer");
+ return (DNS_R_FORMERR);
+ }
/*
* Apply filters, if given, on answers to reject
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
+ if (rdataset->rdclass != fctx->res->rdclass) {
+ log_formerr(fctx, "Mismatched class "
+ "in answer");
+ return (DNS_R_FORMERR);
+ }
+
/*
* Only pass DNAME or RRSIG(DNAME).
*/
projects / thirdparty / bind9.git / commitdiff
