Path to this page:
Next | Query returned 2 messages, browsing 1 to 10 | previous
CVS Commit History:
2017-02-12 22:59:29 by S.P.Zeidler | Files touched by this commit (2) | |
Log message:
Pullup ticket #5211 - requested by taca
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.63
- net/bind99/distinfo 1.43
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 9 00:50:15 UTC 2017
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log message:
Update bind99 to 9.9.9pl6 (BIND 9.9.9-P6).
Security Fixes
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non- absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
Feature Changes
* None.
Porting Changes
* None.
Bug Fixes
* A synthesized CNAME record appearing in a response before the
associated DNAME could be cached, when it should not have been.
This was a regression introduced while addressing CVE-2016-8864.
[RT #44318]
* Windows installs were failing due to triggering UAC without the
installation binary being signed.
* A race condition in rbt/rbtdb was leading to INSISTs being
triggered.
To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.63 pkgsrc/net/bind99/Makefile
cvs rdiff -u -r1.42 -r1.43 pkgsrc/net/bind99/distinfo
|
2017-01-13 21:21:02 by Benny Siegert | Files touched by this commit (2) |
Log message:
Pullup ticket #5190 - requested by taca
net/bind99: security fix
Revisions pulled up:
- net/bind99/Makefile 1.62
- net/bind99/distinfo 1.42
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 12 00:05:46 UTC 2017
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log message:
Update bind99 to 9.9.9pl5 (BIND 9.9.9-P5), including security fixes.
--- 9.9.9-P5 released ---
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
|
Next | Query returned 2 messages, browsing 1 to 10 | previous