Here's a diff that backports the security fix in bind 9.4.1 to bind
9.3.4. I dug around a bit and found no CVE for it yet...
lamont
--- orig/CHANGES
+++ mod/CHANGES
@@ -1,3 +1,5 @@
+2172. [bug] query_addsoa() was being called with a non zone db.
+ [RT #16834]
--- 9.3.4 released ---
--- orig/bin/named/query.c
+++ mod/bin/named/query.c
@@ -3212,6 +3212,21 @@
* an error unless we were searching for
* glue. Ugh.
*/
+ if (!is_zone) {
+ authoritative = ISC_FALSE;
+ dns_rdatasetiter_destroy(&rdsiter);
+ if (RECURSIONOK(client)) {
+ result = query_recurse(client,
+ qtype,
+ NULL,
+ NULL);
+ if (result == ISC_R_SUCCESS)
+ client->query.attributes |=
+ NS_QUERYATTR_RECURSING;
+ else
+
QUERY_ERROR(DNS_R_SERVFAIL); }
+ goto addauth;
+ }
/*
* We were searching for SIG records in
* a nonsecure zone. Send a "no error,
--- orig/debian/changelog
+++ mod/debian/changelog
@@ -1,3 +1,9 @@
+bind9 (1:9.3.4-2+etch1) stable; urgency=low
+
+ * Backport security fix from 9.4.1
+
+ -- LaMont Jones <[EMAIL PROTECTED]> Mon, 30 Apr 2007 18:29:40 -0600
+
bind9 (1:9.3.4-2) unstable; urgency=high
* Actually really do the merge of 9.3.4. Sigh. Closes: #408925
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
