Page MenuHomeSolus

Update to 9.11.1_P1
ClosedPublic

Authored by poltertec on Jun 13 2017, 9:48 PM.

Details

Summary

This update addresses the following CVEs:
• CVE-2017-3141
• CVE-2017-3140

Feature Changes:
• dnstap now stores both the local and remote addresses for all messages, instead of only the remote
address. The default output format for dnstap-read has been updated to include these addresses,
with the initiating address first and the responding address second, separated by "-%gt;" or "%lt;-"
to indicate in which direction the message was sent.
• Expanded and improved the YAML output from dnstap-read -y: it now includes packet size and
a detailed breakdown of message contents.
• If an ACL is specified with an address prefix in which the prefix length is longer than the address
portion (for example, 192.0.2.1/8), named will now log a warning. In future releases this will be a
fatal configuration error.

Bug Fixes:
• named could deadlock if multiple changes to NSEC/NSEC3 parameters for the same zone were
being processed at the same time.
• named could trigger an assertion when sending NOTIFY messages.
• Referencing a nonexistent zone in a response-policy statement could cause an assertion failure
during configuration.
• rndc addzone could cause a crash when attempting to add a zone with a type other than master
or slave. Such zones are now rejected.
• named could hang when encountering log file names with large apparent gaps in version number
(for example, when files exist called "logfile.0", "logfile.1", and "logfile.1482954169"). This is now
handled correctly.
• If a zone was updated while named was processing a query for nonexistent data, it could return
out-of-sync NSEC3 records causing potential DNSSEC validation failure.

Diff Detail

Repository
R431 bind-utils
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

poltertec created this revision.Jun 13 2017, 9:48 PM
JoshStrobl requested changes to this revision.Jun 24 2017, 6:29 PM
JoshStrobl added a subscriber: JoshStrobl.

I believe you should be using patchset 1: ftp://ftp.isc.org/isc/bind9/9.11.1-P1/

This revision now requires changes to proceed.Jun 24 2017, 6:29 PM
poltertec updated this revision to Diff 1058.Jun 24 2017, 10:27 PM
poltertec edited edge metadata.

Update to 9.11.1_P1

poltertec retitled this revision from Update to 9.11.1 to Update to 9.11.1_P1.Jun 24 2017, 10:32 PM
poltertec edited the summary of this revision. (Show Details)
poltertec edited the summary of this revision. (Show Details)Jun 25 2017, 10:39 AM
sunnyflunk accepted this revision.Jun 30 2017, 10:29 AM
sunnyflunk added a subscriber: sunnyflunk.

LGTM. thanks

This revision was automatically updated to reflect the committed changes.