Log Message:
security update:
BIND 9.4.3-P4 is a SECURITY PATCH for BIND 9.4.3.  It addresses a
potential cache poisoning vulnerability, in which data in the additional
section of a response could be cached without proper DNSSEC validation.

Changes since 9.4.3-P3:

2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

BIND 9.4.3-P5 is a SECURITY PATCH for BIND 9.4.3.  It addresses two
potential cache poisoning vulnerabilities, both of which could allow
a validating recursive nameserver to cache data which had not been
authenticated or was invalid.

CVE identifiers: CVE-2009-4022, CVE-2010-0097
CERT advisories: VU#418861, VU#360341

Changes since 9.4.3-P4:

2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]