- Fixed a regression in resolver.c:possibly_mark() which caused
known-bogus servers to be queried anyway. [RT #41321]
- render_ecs errors were mishandled when printing out a OPT record
resulting in a assertion failure. (CVE-2015-8705) [RT #41397]
- Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."
On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys, or
implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
revoking a trust anchor and sending a new untrusted replacement could
cause named to crash with an assertion failure. This could occur in
the event of a botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to monitor the
victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and
is disclosed in [CVE-2015-1349] [RT #38344] (**)
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
exploit a defect in EDNS option processing can cause named to terminate with
an assertion failure. This fixes a missing isc_buffer_availablelength check
when printing out a packet." (This doesn't affect 9.9.x in 5.5-stable).
A few other fixes most of which don't affect us (one notable one is a
fix for GCC 4.9.0 optimizing away a null pointer check, more info on this
at https://kb.isc.org/article/AA-01167/)
- patch to add another missing stdint.h inclusion for uintptr_t
- enable regression tests (these set temporary aliases on lo0;
should be safe, but I've set TEST_INTERACTIVE to avoid any unintended
consequences on bulk test runs).
a crafted query against an NSEC3-signed zone, causing the server to exit.
Affects authoritative nameservers serving at least one NSEC3-signed zone.
Does not affect recursive-only servers, or auth servers which do not serve
NSEC3-signed zones.
query that includes malformed rdata can cause named to terminate with an
assertion failure while rejecting the malformed query. Authoritative and
recursive servers are equally vulnerable. Intentional exploitation of
this condition can cause a denial of service in all nameservers running
affected versions of BIND 9. Access Control Lists do not provide any
protection from malicious clients.
per CPU. As found by Marc Peters, this doesn't work too well on a t5120
with 64 threads, so change the default settings in the rc.d script to -U 4
to cap this to 4, or the number of CPUs if less.
As usual with rc.d scripts, if you need to override flags, set
isc_named_flags="..." in rc.conf.local.
"A critical defect in BIND 9 allows an attacker to cause excessive memory
consumption in named or other programs linked to libdns.
The problem is encountered when a program compiled to link to libdns
receives a maliciously-constructed regular expression via any of several
delivery methods."
https://kb.isc.org/article/AA-0087
