BIND 9.5.2-P2 is a SECURITY PATCH for BIND 9.5.2. It addresses two
potential cache poisoning vulnerabilities, both of which could allow
a validating recursive nameserver to cache data which had not been
authenticated or was invalid.
CVE identifiers: CVE-2009-4022, CVE-2010-0097
CERT advisories: VU#418861, VU#360341
Changes since 9.5.2-P1:
2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]
2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
Specifying a fixed query source port was broken.
Address race condition in the socket code.
Give TCP connections longer to complete.
libxml2: support versions 2.7.* in addition to 2.6.*.
Document -m (enable memory usage debugging) option for dig
Set initial timeout to 800ms.
For all the details see:
http://oldwww.isc.org/sw/bind/view/?release=9.5.1#RELEASE
--- 9.5.0-P2 released ---
2406. [bug] Some operating systems have FD_SETSIZE set to a
low value by default, which can cause resource
exhaustion when many simultaneous connections are
open. Linux in particular makes it difficult to
increase this value. To use more sockets with
select(), set ISC_SOCKET_FDSETSIZE. Example:
STD_CDEFINES="-DISC_SOCKET_FDSETSIZE=4096" ./configure
(This should not be necessary in most cases, and
never for an authoritative-only server.) [RT #18328]
2405. [cleanup] The default value for dnssec-validation was changed to
"yes" in 9.5.0-P1 and all subsequent releases; this
was inadvertently omitted from CHANGES at the time.
2404. [port] hpux: files unlimited support.
2403. [bug] TSIG context leak. [RT #18341]
2402. [port] Support Solaris 2.11 and over. [RT #18362]
2401. [bug] Expect to get E[MN]FILE errno internal_accept()
(from accept() or fcntl() system calls). [RT #18358]
2399. [bug] Abort timeout queries to reduce the number of open
UDP sockets. [RT #18367]
2398. [bug] Improve file descriptor management. New,
temporary, named.conf option reserved-sockets,
default 512. [RT #18344]
2397. [bug] gssapi_functions had too many elements. [RT #18355]
2396. [bug] Don't set SO_REUSEADDR for randomized ports.
[RT #18336]
2395. [port] Avoid warning and no effect from "files unlimited"
on Linux when running as root. [RT #18335]
2394. [bug] Default configuration options set the limit for
open files to 'unlimited' as described in the
documentation. [RT #18331]
2393. [bug] nested acls containing keys could trigger an
assertion in acl.c. [RT #18166]
2392. [bug] remove 'grep -q' from acl test script, some platforms
don't support it. [RT #18253]
2387. [bug] Silence compiler warnings in lib/isc/radix.c.
[RT #18147] [RT #18258]
BIND 9.5.0 has a number of new features over 9.4, including:
- GSS-TSIG support (RFC 3645).
- DHCID support.
- Experimental http server and statistics support for named via xml.
- More detailed statistics counters including those supported in BIND 8.
- Faster ACL processing.
- Internal documentation generated by Doxygen.
- Efficient LRU cache-cleaning mechanism.
- NSID support (RFC 5001).
