--- 9.11.0-P4 released ---
+4578. [security] Some chaining (CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures.
+ (CVE-2017-3137) [RT #44734]
+
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
BIND 9.11.0-P4
- This version contains a fix for CVE-2017-3136, and updates
- the built in trusted keys for the root zone.
+ This version contains fixes for CVE-2017-3136 and CVE-2017-3137,
+ and updates the built in trusted keys for the root zone.
BIND 9.11.0-P3
from an external database, developed by Red Hat for the FreeIPA
project.
- "fetchlimit" quotas are now compiled in by default. These
- are for the use of recursive resolvers that are are under
- high query load for domains whose authoritative servers are
- nonresponsive or are experiencing a denial of service attack:
+ are for the use of recursive resolvers that are are under
+ high query load for domains whose authoritative servers are
+ nonresponsive or are experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
+ <listitem>
+ <para>
+ Some chaining (i.e., type CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures. This flaw is disclosed
+ in CVE-2017-3137. [RT #44734]
+ </para>
+ </listitem>
<listitem>
<para>
<command>dns64</command> with <command>break-dnssec yes;</command>
can result in an assertion failure. This flaw is disclosed in
- CVE-2017-3136.[RT #44653]
+ CVE-2017-3136. [RT #44653]
</para>
</listitem>
<listitem>
# 9.10: 140-149
# 9.11: 160-169
LIBINTERFACE = 166
-LIBREVISION = 5
+LIBREVISION = 6
LIBAGE = 0
rdataset->attributes |=
DNS_RDATASETATTR_CACHE;
rdataset->trust = dns_trust_answer;
- if (chaining == 0) {
+ if (external) {
/*
- * This data is "the" answer
- * to our question only if
- * we're not chaining (i.e.
- * if we haven't followed
- * a CNAME or DNAME).
+ * This data is outside of
+ * our query domain, and
+ * may not be cached.
*/
- INSIST(!external);
+ rdataset->attributes |=
+ DNS_RDATASETATTR_EXTERNAL;
+ } else if (chaining == 0) {
/*
* Don't use found_cname here
* as we have just set it
if (aa)
rdataset->trust =
dns_trust_authanswer;
- } else if (external) {
- /*
- * This data is outside of
- * our query domain, and
- * may not be cached.
- */
- rdataset->attributes |=
- DNS_RDATASETATTR_EXTERNAL;
}
/*
* If we are not chaining or the first CNAME
* is a synthesised CNAME before the DNAME.
*/
- if ((chaining == 0) ||
- (chaining == 1U && synthcname))
+ if (external) {
+ rdataset->attributes |=
+ DNS_RDATASETATTR_EXTERNAL;
+ } else if ((chaining == 0) ||
+ (chaining == 1U && synthcname))
{
- /*
- * This data is "the" answer to
- * our question only if we're
- * not chaining.
- */
- INSIST(!external);
if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
found_dname = ISC_TRUE;
if (aa)
rdataset->trust =
dns_trust_authanswer;
- } else if (external) {
- rdataset->attributes |=
- DNS_RDATASETATTR_EXTERNAL;
}
}
projects / thirdparty / bind9.git / commitdiff
