Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2012-12-07 14:06:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2012-11-20 10:15:18.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.bind.new/bind.changes 2012-12-07 14:06:49.000000000 +0100 @@ -1,0 +2,156 @@ +Thu Dec 6 08:00:31 UTC 2012 - [email protected] + +- Updated to 9.9.2-P1 (bnc#792926) + https://kb.isc.org/article/AA-00828 + * Security Fixes + + Prevents named from aborting with a require assertion failure on + servers with DNS64 enabled. These crashes might occur as a result of + specific queries that are received. (Note that this fix is a subset + of a series of updates that will be included in full in BIND 9.8.5 + and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792] + + A deliberately constructed combination of records could cause + named to hang while populating the additional section of a + response. [CVE-2012-5166] [RT #31090] + + Prevents a named assert (crash) when queried for a record whose + RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] + + Prevents a named assert (crash) when validating caused by using + "Bad cache" data before it has been initialized. [CVE-2012-3817] + [RT #30025] + + A condition has been corrected where improper handling of zero-length + RDATA could cause undesirable behavior, including termination of + the named process. [CVE-2012-1667] [RT #29644] + + ISC_QUEUE handling for recursive clients was updated to address a race + condition that could cause a memory leak. This rarely occurred with + UDP clients, but could be a significant problem for a server handling + a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] + +New Features + + Elliptic Curve Digital Signature Algorithm keys and signatures in + DNSSEC are now supported per RFC 6605. [RT #21918] + + Introduces a new tool "dnssec-checkds" command that checks a zone to + determine which DS records should be published in the parent zone, + or which DLV records should be published in a DLV zone, and queries + the DNS to ensure that it exists. (Note: This tool depends on python; + it will not be built or installed on systems that do not have a + python interpreter.) [RT #28099] + + Introduces a new tool "dnssec-verify" that validates a signed zone, + checking for the correctness of signatures and NSEC/NSEC3 chains. + [RT #23673] + + Adds configuration option "max-rsa-exponent-size <value>;" that + can be used to specify the maximum rsa exponent size that will be + accepted when validating [RT #29228] + +Feature Changes + + Improves OpenSSL error logging [RT #29932] + nslookup now returns a nonzero exit code when it is unable to get + an answer. [RT #29492] + +Bug Fixes + + Uses binary mode to open raw files on Windows. [RT #30944] + When using DNSSEC inline signing with "rndc signing -nsec3param", a + salt value of "-" can now be used to indicate 'no salt'. [RT #30099] + Prevents race conditions (address use after free) that could be + encountered when named is shutting down and releasing structures + used to manage recursive clients. [RT #30241] + Static-stub zones now accept "forward" and "fowarders" options + (often needed for subdomains of the zone referenced to override + global forwarding options). These options are already available + with traditional stub zones and their omission from zones of type + "static-stub" was an inadvertent oversight. [RT #30482] + Limits the TTL of signed RRsets in cache when their RRSIGs are + approaching expiry. This prevents the persistence in cache of + invalid RRSIGs in order to assist recovery from a situation where + zone re-signing doesn't occur in a timely manner. With this change, + named will attempt to obtain new RRSIGs from the authoritative server + once the original ones have expired, and even if the TTL of the old + records would in other circumstances cause them to be kept in cache + for longer. [RT #26429] + Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() + which are employed on Itanium systems to speed up lock management + by making use of atomic operations. Without the syntax correction + it is possible that concurrent access to the same structures could + accidentally occur with unpredictable results. [RT #25181] + Improves OpenSSL error logging [RT #29932] + The configure script now supports and detects libxml2-2.8.x correctly + [RT #30440] + The host command should no longer assert on some architectures + and builds while handling the time values used with the -w (wait + forever) option. [RT #18723] + Invalid zero settings for max-retry-time, min-retry-time, + max-refresh-time, min-refresh-time will now be detected during parsing + of named.conf and an error emitted instead of triggering an assertion + failure on startup. [RT #27730] + Removes spurious newlines from log messages in zone.c [RT #30675] + When built with readline support (i.e. on a system with readline + installed) nsupdate no longer terminates unexpectedly in interactive + mode. [RT #29550] + All named tasks that perform task-exclusive operations now share the + same single task. Prior to this change, there was the possibility of + a race condition between rndc operations and other functions such as + re-sizing the adb hash table. If the race condition was encountered, + named would in most cases terminate unexpectedly with an assert. + [RT #29872] + Ensures that servers are expired from the ADB cache when the timeout + limit is reached so that their learned attributes can be refreshed. + Prior to this change, servers that were frequently queried might + never have their entries removed and reinitialized. This is of + particular importance to DNSSEC-validating recursive servers that + might erroneously set "no-edns" for an authoritative server following + a period of intermittent connectivity. [RT #29856] + Adds additional resilience to a previous security change (3218) by + preventing RRSIG data from being added to cache when a pseudo-record + matching the covering type and proving non-existence exists at a + higher trust level. The earlier change prevented this inconsistent + data from being retrieved from cache in response to client queries - + with this additional change, the RRSIG records are no longer inserted + into cache at all. [RT #26809] + dnssec-settime will now issue a warning when the writing of a new + private key file would cause a change in the permissions of the + existing file. [RT #27724] + Fixes the defect introduced by change #3314 that was causing failures + when saving stub zones to disk (resulting in excessive CPU usage in + some cases). [RT #29952] + Address race condition in units tests: asyncload_zone and + asyncload_zt. [RT #26100] + It is now possible to using multiple control keys again - this + functionality was inadvertently broken by change #3924 (RT #28265) + which addressed a memory leak. [RT #29694] + Named now holds a zone table reference while performing an + asynchronous load of a zone. This removes a race condition that + could cause named to crash when zones are added using rndc addzone + or by manually editing named's configuration file followed by rndc + reconfig/reload. [RT #28326] + Setting resolver-query-timeout too low could cause named problems + recovering after a loss of connectivity. [RT #29623] + Reduces the potential build-up of stale RRsets in cache on a busy + recursive nameserver by re-using cached DS and RRSIG rrsets when + possible [RT #29446] + Corrects a failure to authenticate non-existence of resource records + in some circumstances when RPZ has been configured. Also: + adds an optional "recursive-only yes|no" to the response-policy + statement + adds an optional "max-policy-ttl" to the response-policy statement + to limit the false data that "recursive-only no" can introduce + into resolvers' caches + introduces a predefined encoding of PASSTHRU policy by adding + "rpz-passthru" to be used as the target of CNAME policy records + (the old encoding is still accepted.) + adds a RPZ performance test to bin/tests/system/rpz when queryperf is available. [RT #26172] + Upper-case/lower-case handling of RRSIG signer-names is now handled + consistently: RRSIG records are generated with the signer-name in + lower case. They are accepted with any case, but if they fail to + validate, we try again in lower case. [RT #27451] + +------------------------------------------------------------------- Old: ---- bind-9.9.2.tar.gz rl-9.9.2.patch New: ---- bind-9.9.2-P1.tar.gz rl-9.9.2p1.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.j0j9Y9/_old 2012-12-07 14:06:56.000000000 +0100 +++ /var/tmp/diff_new_pack.j0j9Y9/_new 2012-12-07 14:06:56.000000000 +0100 @@ -18,7 +18,7 @@ Name: bind %define pkg_name bind -%define pkg_vers 9.9.2 +%define pkg_vers 9.9.2-P1 BuildRequires: krb5-devel BuildRequires: libcap BuildRequires: libcap-devel @@ -32,7 +32,7 @@ Summary: Domain Name System (DNS) Server (named) License: ISC Group: Productivity/Networking/DNS/Servers -Version: 9.9.2 +Version: 9.9.2P1 Release: 0 Provides: bind8 Provides: bind9 @@ -59,7 +59,8 @@ # Rate limiting patch by Paul Vixie et.al. for reflection DoS protection # see http://www.redbarn.org/dns/ratelimits -Patch200: http://ss.vix.com/~vixie/rl-9.9.2.patch +#Patch200: http://ss.vix.com/~vixie/rl-9.9.2.patch +Patch200: rl-9.9.2p1.patch Source60: dlz-schema.txt %if %ul_version >= 1 ++++++ rl-9.9.2p1.patch ++++++ ++++ 2974 lines (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
