Opened 6 years ago

Closed 6 years ago

#7378 closed enhancement (fixed)

bind-9.10.3-P3 (bind9.10.3-P3) and BIND Utilities-9.10.3-P3

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.9
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

This is a security update

CVE-2015-3193 (OpenSSL)
CVE-2015-8000
CVE-2015-8461
CVE-2015-8704
CVE-2015-8705

ftp://ftp.isc.org/isc/bind9/9.10.3-P3/bind-9.10.3-P3.tar.gz

ftp://ftp.isc.org/isc/bind9/9.10.3-P3/bind-9.10.3-P3.tar.gz.asc

ftp://ftp.isc.org/isc/bind9/9.10.3-P3/bind-9.10.3-P3.tar.gz.sha512.asc

ftp://ftp.isc.org/isc/bind9/9.10.3-P3/CHANGES

ftp://ftp.isc.org/isc/bind9/9.10.3-P3/RELEASE-NOTES.bind-9.10.3-P3.txt

Release Notes for BIND Version 9.10.3-P3

Introduction

   This document summarizes changes since BIND 9.10.3:

 • BIND 9.10.3-P3 addresses the security issues described in
   CVE-2015-8704 and CVE-2015-8705. It also fixes a serious regression
   in authoritative server selection that was introduced in BIND 9.10.3.

 • BIND 9.10.3-P2 addresses the security issues described in
   CVE-2015-3193 (OpenSSL), CVE-2015-8000 and CVE-2015-8461.

 • BIND 9.10.3-P1 was incomplete and was withdrawn prior to publication.

Security Fixes

     • Specific APL data could trigger an INSIST. This flaw was
       discovered by Brian Mitchell and is disclosed in CVE-2015-8704.
       [RT #41396]
     • Certain errors that could be encountered when printing out or
       logging an OPT record containing a CLIENT-SUBNET option could be
       mishandled, resulting in an assertion failure. This flaw was
       discovered by Brian Mitchell and is disclosed in CVE-2015-8705.
       [RT #41397]
     • Named is potentially vulnerable to the OpenSSL vulnerabilty
       described in CVE-2015-3193.
     • Insufficient testing when parsing a message allowed records with
       an incorrect class to be be accepted, triggering a REQUIRE
       failure when those records were subsequently cached. This flaw is
       disclosed in CVE-2015-8000. [RT #40987]
     • Incorrect reference counting could result in an INSIST failure if
       a socket error occurred while performing a lookup. This flaw is
       disclosed in CVE-2015-8461. [RT#40945]

New Features

     • None.

Feature Changes

     • Updated the compiled in addresses for H.ROOT-SERVERS.NET.

Bug Fixes

     • Authoritative servers that were marked as bogus (e.g. blackholed
       in configuration or with invalid addresses) were being queried
       anyway.  [RT #41321]

End of Life

   The end of life for BIND 9.10 is yet to be determined but will not be
   before BIND 9.12.0 has been released for 6 months.
   https://www.isc.org/downloads/software-support-policy/

Change History (3)

comment:1 by Fernando de Oliveira, 6 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 6 years ago

I always have a problem with bind:

$ sudo named-checkconf /srv/named/etc/named.conf
/srv/named/etc/named.conf:11: change directory to '/etc/namedb' failed: file not found

/srv/named/etc/named.conf:11: parsing failed

Here, We have:

$ sudo grep /etc/namedb /srv/named/etc/named.conf
    directory "/etc/namedb";

after directory created,

$ sudo ln -svfn /srv/named /etc/namedb

error is gone:

$ sudo named-checkconf /srv/named/etc/named.conf
$

Will not make any modification, regarding that, but wanted to communicate (for the second time).

Question: is that new link above some kind of a risk?

comment:3 by Fernando de Oliveira, 6 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r16825.

Note: See TracTickets for help on using tickets.