Mailinglist Archive: opensuse-updates (111 mails)

< Previous Next >
openSUSE-SU-2013:0605-1: moderate: bind: update to 9.8.4-P2
openSUSE Security Update: bind: update to 9.8.4-P2

Announcement ID: openSUSE-SU-2013:0605-1
Rating: moderate
References: #811876
Cross-References: CVE-2012-1667 CVE-2012-3817 CVE-2012-3868
CVE-2012-4244 CVE-2012-5166 CVE-2012-5688
Affected Products:
openSUSE 12.1

An update that fixes 7 vulnerabilities is now available.


bind was updated to 9.8.4-P2 to fix security problems and

Security Fixes Removed the check for regex.h in configure
in order to disable regex syntax checking, as it exposes
BIND to a critical flaw in libregex on some platforms.
[CVE-2013-2266] [RT #32688] (bnc#811876) Prevents
named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a
result of specific queries that are received. (Note that
this fix is a subset of a series of updates that will be
included in full in BIND 9.8.5 and 9.9.3 as change #3388,
RT #30996). [CVE-2012-5688] [RT #30792] A deliberately
constructed combination of records could cause named to
hang while populating the additional section of a response.
[CVE-2012-5166] [RT #31090] Prevents a named assert (crash)
when queried for a record whose RDATA exceeds 65535 bytes
[CVE-2012-4244] [RT #30416] Prevents a named assert
(crash) when validating caused by using "Bad cache" data
before it has been initialized. [CVE-2012-3817] [RT #30025]
A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior,
including termination of the named process.
[CVE-2012-1667] [RT #29644] New Features Elliptic Curve
Digital Signature Algorithm keys and signatures in DNSSEC
are now supported per RFC 6605. [RT #21918] Feature Changes
Improves OpenSSL error logging [RT #29932] nslookup now
returns a nonzero exit code when it is unable to get an
answer. [RT #29492] Bug Fixes Uses binary mode to open raw
files on Windows. [RT #30944] Static-stub zones now accept
"forward" and "fowarders" options (often needed for
subdomains of the zone referenced to override global
forwarding options). These options are already available
with traditional stub zones and their omission from zones
of type "static-stub" was an inadvertent oversight. [RT
#30482] Limits the TTL of signed RRsets in cache when their
RRSIGs are approaching expiry. This prevents the
persistence in cache of invalid RRSIGs in order to assist
recovery from a situation where zone re-signing doesn't
occur in a timely manner. With this change, named will
attempt to obtain new RRSIGs from the authoritative server
once the original ones have expired, and even if the TTL of
the old records would in other circumstances cause them to
be kept in cache for longer. [RT #26429] Corrects the
syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which
are employed on Itanium systems to speed up lock management
by making use of atomic operations. Without the syntax
correction it is possible that concurrent access to the
same structures could accidentally occur with unpredictable
results. [RT #25181] The configure script now supports and
detects libxml2-2.8.x correctly [RT #30440] The host
command should no longer assert on some architectures and
builds while handling the time values used with the -w
(wait forever) option. [RT #18723] Invalid zero settings
for max-retry-time, min-retry-time, max-refresh-time,
min-refresh-time will now be detected during parsing of
named.conf and an error emitted instead of triggering an
assertion failure on startup. [RT #27730] Removes spurious
newlines from log messages in zone.c [RT #30675] When
built with readline support (i.e. on a system with readline
installed) nsupdate no longer terminates unexpectedly in
interactive mode. [RT #29550] All named tasks that perform
task-exclusive operations now share the same single task.
Prior to this change, there was the possibility of a race
condition between rndc operations and other functions such
as re-sizing the adb hash table. If the race condition was
encountered, named would in most cases terminate
unexpectedly with an assert. [RT #29872] Ensures that
servers are expired from the ADB cache when the timeout
limit is reached so that their learned attributes can be
refreshed. Prior to this change, servers that were
frequently queried might never have their entries removed
and reinitialized. This is of particular importance to
DNSSEC-validating recursive servers that might erroneously
set "no-edns" for an authoritative server following a
period of intermittent connectivity. [RT #29856] Adds
additional resilience to a previous security change (3218)
by preventing RRSIG data from being added to cache when a
pseudo-record matching the covering type and proving
non-existence exists at a higher trust level. The earlier
change prevented this inconsistent data from being
retrieved from cache in response to client queries - with
this additional change, the RRSIG records are no longer
inserted into cache at all. [RT #26809] dnssec-settime will
now issue a warning when the writing of a new private key
file would cause a change in the permissions of the
existing file. [RT #27724] Fixes the defect introduced by
change #3314 that was causing failures when saving stub
zones to disk (resulting in excessive CPU usage in some
cases). [RT #29952] It is now possible to using multiple
control keys again - this functionality was inadvertently
broken by change #3924 (RT #28265) which addressed a memory
leak. [RT #29694] Setting resolver-query-timeout too low
could cause named problems recovering after a loss of
connectivity. [RT #29623] Reduces the potential build-up
of stale RRsets in cache on a busy recursive nameserver by
re-using cached DS and RRSIG rrsets when possible [RT
#29446] Corrects a failure to authenticate non-existence of
resource records in some circumstances when RPZ has been
configured. Also:
- adds an optional "recursive-only yes|no" to the
response-policy statement
- adds an optional "max-policy-ttl" to the
response-policy statement to limit the false data that
"recursive-only no" can introduce into resolvers' caches
- introduces a predefined encoding of PASSTHRU policy
by adding "rpz-passthru" to be used as the target of CNAME
policy records (the old encoding is still accepted.)
- adds a RPZ performance test to bin/tests/system/rpz
when queryperf is available. [RT #26172]
Upper-case/lower-case handling of RRSIG signer-names is now
handled consistently: RRSIG records are generated with the
signer-name in lower case. They are accepted with any case,
but if they fail to validate, we try again in lower case.
[RT #27451]

- Update the IPv4 address of the D root name server.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.1:

zypper in -t patch openSUSE-2013-296

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 12.1 (i586 x86_64):


- openSUSE 12.1 (x86_64):


- openSUSE 12.1 (noarch):


- openSUSE 12.1 (ia64):



< Previous Next >
This Thread
  • No further messages