2011年12月12日

[installer 3044] BIND 9.6-ESV-R6b1, 9.7.5b1, 9.8.2b1

BIND 9.6-ESV-R6b1, 9.7.5b1, 9.8.2b1 出ています。

キャッシュサーバの DoS ぜい弱性の修正も含まれています。
http://www.isc.org/software/bind/advisories/cve-2011-4313
https://www.isc.org/advisorycve20114313JP (日本語情報)
参照のこと。

☆ BIND 9.6-ESV-R6b1

https://www.isc.org/software/bind
ftp://ftp.isc.org/isc/bind/9.6-ESV-R6b1/bind-9.6-ESV-R6b1.tar.gz

--- 9.6-ESV-R6b1 released ---

3221. [bug] Fixed a potential coredump on shutdown due to
referencing fetch context after it's been freed.
[RT #26720]

3218. [security] Cache lookup could return RRSIG data associated with
nonexistent records, leading to an assertion
failure. [RT #26590]

3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]

3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]

3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
list prior to adding a reference to it leading a
possible assertion failure. [RT #23219]

3208. [bug] 'dig -y' handle unknown tsig alorithm better.
[RT #25522]

3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]

3206. [cleanup] Add ISC information to log at start time. [RT #25484]

3204. [bug] When a master server that has been marked as
unreachable sends a NOTIFY, mark it reachable
again. [RT #25960]

3203. [bug] Increase log level to 'info' for validation failures
from expired or not-yet-valid RRSIGs. [RT #21796]

3200. [doc] Some rndc functions were undocumented or were
missing from 'rndc -h' output. [RT #25555]

3196. [bug] nsupdate: return nonzero exit code when target zone
doesn't exist. [RT #25783]

3194. [doc] Updated RFC references in the 'empty-zones-enable'
documentation. [RT #25203]

3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
dnssec.h. [RT #26415]

3192. [bug] A query structure could be used after being freed.
[RT #22208]

3191. [bug] Print NULL records using "unknown" format. [RT #26392]

3190. [bug] Underflow in error handling in isc_mutexblock_init.
[RT #26397]

3189. [test] Added a summary report after system tests. [RT #25517]

3187. [port] win32: support for Visual Studio 2008. [RT #26356]

3179. [port] kfreebsd: build issues. [RT #26273]

3175. [bug] Fix how DNSSEC positive wildcard responses from a
NSEC3 signed zone are validated. Stop sending a
unnecessary NSEC3 record when generating such
responses. [RT #26200]

3173. [port] Correctly validate root DS responses. [RT #25726]

3169. [func] Catch db/version mis-matches when calling dns_db_*().
[RT #26017]

3167. [bug] Negative answers from forwarders were not being
correctly tagged making them appear to not be cached.
[RT #25380]

3162. [test] start.pl: modified to allow for "named.args" in
ns*/ subdirectory to override stock arguments to
named. Largely from RT#26044, but no separate ticket.

3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
the config file before pausing the server. [RT #21373]

3156. [bug] Reconfiguring the server with an incorrectly
formatted TSIG key could cause a crash during
subsequent zone transfers. [RT #20391]

3154. [bug] Attempting to print an empty rdataset could trigger
an assert. [RT #25452]

3151. [bug] Queries for type RRSIG or SIG could be handled
incorrectly. [RT #21050]

3149. [tuning] Improve scalability by allocating one zone
task per 100 zones at startup time. (The
BIND9_ZONE_TASKS_HINT environment variable
which was established as a temporary measure
in change #3132 is no longer needed or
used.) [rt25541]

3148. [bug] Processing of normal queries could be stalled when
forwarding a UPDATE message. [RT #24711]

3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]

3145. [test] Capture output of ATF unit tests in "./atf.out" if
there were any errors while running them. [RT #25527]

3144. [bug] dns_dbiterator_seek() could trigger an assert when
used with a nonexistent database node. [RT #25358]

3143. [bug] Silence clang compiler warnings. [RT #25174]

3142. [bug] NAPTR is class agnostic. [RT #25429]

3141. [bug] Silence spurious "zone serial unchanged" messages
associated with empty zones. [RT #25079]

3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
for the hashing algorithms (md5, sha1 - sha512, and
their hmac counterparts). [RT #25067]

3138. [bug] Address memory leaks and out-of-order operations when
shutting named down. [RT #25210]

3136. [func] Add RFC 1918 reverse zones to the list of built-in
empty zones switched on by the 'empty-zones-enable'
option. [RT #24990]

3134. [bug] Improve the accuracy of dnssec-signzone's signing
statistics. [RT #16030]


☆ BIND 9.7.5b1
https://www.isc.org/software/bind
ftp://ftp.isc.org/isc/bind/9.7.5b1/bind-9.7.5b1.tar.gz

--- 9.7.5b1 released ---

3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]

3231. [bug] named could fail to send a uncompressable zone.
[RT #26796]

3230. [bug] 'dig axfr' failed to properly handle a multi-message
axfr with a serial of 0. [RT #26796]

3229. [bug] Fix local variable to struct var assignment
found by CLANG warning.

3228. [tuning] Dynamically grow symbol table to improve zone
loading performance. [RT #26523]

3227. [bug] Interim fix to make WKS's use of getprotobyname()
and getservbyname() self thread safe. [RT #26232]

3226. [bug] Address minor resource leakages. [RT #26624]

3221. [bug] Fixed a potential coredump on shutdown due to
referencing fetch context after it's been freed.
[RT #26720]

3218. [security] Cache lookup could return RRSIG data associated with
nonexistent records, leading to an assertion
failure. [RT #26590]

3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]

3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]

3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
list prior to adding a reference to it leading a
possible assertion failure. [RT #23219]

3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]

3208. [bug] 'dig -y' handle unknown tsig alorithm better.
[RT #25522]

3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]

3206. [cleanup] Add ISC information to log at start time. [RT #25484]

3204. [bug] When a master server that has been marked as
unreachable sends a NOTIFY, mark it reachable
again. [RT #25960]

3203. [bug] Increase log level to 'info' for validation failures
from expired or not-yet-valid RRSIGs. [RT #21796]

3200. [doc] Some rndc functions were undocumented or were
missing from 'rndc -h' output. [RT #25555]

3198. [doc] Clarified that dnssec-settime can alter keyfile
permissions. [RT #24866]

3196. [bug] nsupdate: return nonzero exit code when target zone
doesn't exist. [RT #25783]

3195. [cleanup] Silence "file not found" warnings when loading
managed-keys zone. [RT #26340]

3194. [doc] Updated RFC references in the 'empty-zones-enable'
documentation. [RT #25203]

3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
dnssec.h. [RT #26415]

3192. [bug] A query structure could be used after being freed.
[RT #22208]

3191. [bug] Print NULL records using "unknown" format. [RT #26392]

3190. [bug] Underflow in error handling in isc_mutexblock_init.
[RT #26397]

3189. [test] Added a summary report after system tests. [RT #25517]

3188. [bug] zone.c:zone_refreshkeys() could fail to detach
references correctly when errors occurred, causing
a hang on shutdown. [RT #26372]

3187. [port] win32: support for Visual Studio 2008. [RT #26356]

3179. [port] kfreebsd: build issues. [RT #26273]

3175. [bug] Fix how DNSSEC positive wildcard responses from a
NSEC3 signed zone are validated. Stop sending a
unnecessary NSEC3 record when generating such
responses. [RT #26200]

3174. [bug] Always compute to revoked key tag from scratch.
[RT #26186]

3173. [port] Correctly validate root DS responses. [RT #25726]

3171. [bug] Exclusively lock the task when adding a zone using
'rndc addzone'. [RT #25600]

3169. [func] Catch db/version mis-matches when calling dns_db_*().
[RT #26017]

3167. [bug] Negative answers from forwarders were not being
correctly tagged making them appear to not be cached.
[RT #25380]

3162. [test] start.pl: modified to allow for "named.args" in
ns*/ subdirectory to override stock arguments to
named. Largely from RT#26044, but no separate ticket.

3161. [bug] zone.c:del_sigs failed to always reset rdata leading
assertion failures. [RT #25880]

3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
the config file before pausing the server. [RT #21373]

3154. [bug] Attempting to print an empty rdataset could trigger
an assert. [RT #25452]

3152. [cleanup] Some versions of gcc and clang failed due to
incorrect use of __builtin_expect. [RT #25183]

3151. [bug] Queries for type RRSIG or SIG could be handled
incorrectly. [RT #21050]

3149. [tuning] Improve scalability by allocating one zone
task per 100 zones at startup time. (The
BIND9_ZONE_TASKS_HINT environment variable
which was established as a temporary measure
in change #3132 is no longer needed or
used.) [rt25541]

3148. [bug] Processing of normal queries could be stalled when
forwarding a UPDATE message. [RT #24711]

3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]

3145. [test] Capture output of ATF unit tests in "./atf.out" if
there were any errors while running them. [RT #25527]

3144. [bug] dns_dbiterator_seek() could trigger an assert when
used with a nonexistent database node. [RT #25358]

3143. [bug] Silence clang compiler warnings. [RT #25174]

3142. [bug] NAPTR is class agnostic. [RT #25429]

3141. [bug] Silence spurious "zone serial (0) unchanged" messages
associated with empty zones. [RT #25079]

3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
for the hashing algorithms (md5, sha1 - sha512, and
their hmac counterparts). [RT #25067]

3138. [bug] Address memory leaks and out-of-order operations when
shutting named down. [RT #25210]

3136. [func] Add RFC 1918 reverse zones to the list of built-in
empty zones switched on by the 'empty-zones-enable'
option. [RT #24990]

3134. [bug] Improve the accuracy of dnssec-signzone's signing
statistics. [RT #16030]

3129. [bug] Named could crash on 'rndc reconfig' when
allow-new-zones was set to yes and named ACLs
were used, [RT #22739]


☆ BIND 9.8.2b1
https://www.isc.org/software/bind
ftp://ftp.isc.org/isc/bind/9.8.2b1/bind-9.8.2b1.tar.gz

--- 9.8.2b1 released ---

3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]

3231. [bug] named could fail to send a uncompressable zone.
[RT #26796]

3230. [bug] 'dig axfr' failed to properly handle a multi-message
axfr with a serial of 0. [RT #26796]

3229. [bug] Fix local variable to struct var assignment
found by CLANG warning.

3228. [tuning] Dynamically grow symbol table to improve zone
loading performance. [RT #26523]

3227. [bug] Interim fix to make WKS's use of getprotobyname()
and getservbyname() self thread safe. [RT #26232]

3226. [bug] Address minor resource leakages. [RT #26624]

3221. [bug] Fixed a potential coredump on shutdown due to
referencing fetch context after it's been freed.
[RT #26720]

3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
could fail to set the database version correctly,
causing an assertion failure. [RT #26180]

3218. [security] Cache lookup could return RRSIG data associated with
nonexistent records, leading to an assertion
failure. [RT #26590]

3217. [cleanup] Fix build problem with --disable-static. [RT #26476]

3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]

3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]

3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
list prior to adding a reference to it leading a
possible assertion failure. [RT #23219]

3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]

3208. [bug] 'dig -y' handle unknown tsig alorithm better.
[RT #25522]

3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]

3206. [cleanup] Add ISC information to log at start time. [RT #25484]

3204. [bug] When a master server that has been marked as
unreachable sends a NOTIFY, mark it reachable
again. [RT #25960]

3203. [bug] Increase log level to 'info' for validation failures
from expired or not-yet-valid RRSIGs. [RT #21796]

3200. [doc] Some rndc functions were undocumented or were
missing from 'rndc -h' output. [RT #25555]

3198. [doc] Clarified that dnssec-settime can alter keyfile
permissions. [RT #24866]

3196. [bug] nsupdate: return nonzero exit code when target zone
doesn't exist. [RT #25783]

3195. [cleanup] Silence "file not found" warnings when loading
managed-keys zone. [RT #26340]

3194. [doc] Updated RFC references in the 'empty-zones-enable'
documentation. [RT #25203]

3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
dnssec.h. [RT #26415]

3192. [bug] A query structure could be used after being freed.
[RT #22208]

3191. [bug] Print NULL records using "unknown" format. [RT #26392]

3190. [bug] Underflow in error handling in isc_mutexblock_init.
[RT #26397]

3189. [test] Added a summary report after system tests. [RT #25517]

3188. [bug] zone.c:zone_refreshkeys() could fail to detach
references correctly when errors occurred, causing
a hang on shutdown. [RT #26372]

3187. [port] win32: support for Visual Studio 2008. [RT #26356]

3186. [bug] Version/db mis-match in rpz code. [RT #26180]

3179. [port] kfreebsd: build issues. [RT #26273]

3175. [bug] Fix how DNSSEC positive wildcard responses from a
NSEC3 signed zone are validated. Stop sending a
unnecessary NSEC3 record when generating such
responses. [RT #26200]

3174. [bug] Always compute to revoked key tag from scratch.
[RT #26186]

3173. [port] Correctly validate root DS responses. [RT #25726]

3171. [bug] Exclusively lock the task when adding a zone using
'rndc addzone'. [RT #25600]

3170. [func] RPZ update:
- fix precedence among competing rules
- improve ARM text including documenting rule precedence
- try to rewrite CNAME chains until first hit
- new "rpz" logging channel

3169. [func] Catch db/version mis-matches when calling dns_db_*().
[RT #26017]

3167. [bug] Negative answers from forwarders were not being
correctly tagged making them appear to not be cached.
[RT #25380]

3162. [test] start.pl: modified to allow for "named.args" in
ns*/ subdirectory to override stock arguments to
named. Largely from RT#26044, but no separate ticket.

3161. [bug] zone.c:del_sigs failed to always reset rdata leading
assertion failures. [RT #25880]

3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
the config file before pausing the server. [RT #21373]

3155. [bug] Fixed a build failure when using contrib DLZ
drivers (e.g., mysql, postgresql, etc). [RT #25710]

3154. [bug] Attempting to print an empty rdataset could trigger
an assert. [RT #25452]

3152. [cleanup] Some versions of gcc and clang failed due to
incorrect use of __builtin_expect. [RT #25183]

3151. [bug] Queries for type RRSIG or SIG could be handled
incorrectly. [RT #21050]

3148. [bug] Processing of normal queries could be stalled when
forwarding a UPDATE message. [RT #24711]

3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]

3145. [test] Capture output of ATF unit tests in "./atf.out" if
there were any errors while running them. [RT #25527]

3144. [bug] dns_dbiterator_seek() could trigger an assert when
used with a nonexistent database node. [RT #25358]

3143. [bug] Silence clang compiler warnings. [RT #25174]

3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
for the hashing algorithms (md5, sha1 - sha512, and
their hmac counterparts). [RT #25067]

----
こがよういちろう


投稿者 xml-rpc : 2011年12月12日 13:39
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/107523
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。