Opened 10 years ago
Closed 10 years ago
#7378 closed enhancement (fixed)
bind-9.10.3-P3 (bind9.10.3-P3) and BIND Utilities-9.10.3-P3
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.9 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
This is a security update
CVE-2015-3193 (OpenSSL) CVE-2015-8000 CVE-2015-8461 CVE-2015-8704 CVE-2015-8705
ftp://ftp.isc.org/isc/bind9/9.10.3-P3/bind-9.10.3-P3.tar.gz
ftp://ftp.isc.org/isc/bind9/9.10.3-P3/bind-9.10.3-P3.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.10.3-P3/bind-9.10.3-P3.tar.gz.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.10.3-P3/CHANGES
ftp://ftp.isc.org/isc/bind9/9.10.3-P3/RELEASE-NOTES.bind-9.10.3-P3.txt
Release Notes for BIND Version 9.10.3-P3
Introduction
This document summarizes changes since BIND 9.10.3:
• BIND 9.10.3-P3 addresses the security issues described in
CVE-2015-8704 and CVE-2015-8705. It also fixes a serious regression
in authoritative server selection that was introduced in BIND 9.10.3.
• BIND 9.10.3-P2 addresses the security issues described in
CVE-2015-3193 (OpenSSL), CVE-2015-8000 and CVE-2015-8461.
• BIND 9.10.3-P1 was incomplete and was withdrawn prior to publication.
Security Fixes
• Specific APL data could trigger an INSIST. This flaw was
discovered by Brian Mitchell and is disclosed in CVE-2015-8704.
[RT #41396]
• Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could be
mishandled, resulting in an assertion failure. This flaw was
discovered by Brian Mitchell and is disclosed in CVE-2015-8705.
[RT #41397]
• Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
• Insufficient testing when parsing a message allowed records with
an incorrect class to be be accepted, triggering a REQUIRE
failure when those records were subsequently cached. This flaw is
disclosed in CVE-2015-8000. [RT #40987]
• Incorrect reference counting could result in an INSIST failure if
a socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
• None.
Feature Changes
• Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
• Authoritative servers that were marked as bogus (e.g. blackholed
in configuration or with invalid addresses) were being queried
anyway. [RT #41321]
End of Life
The end of life for BIND 9.10 is yet to be determined but will not be
before BIND 9.12.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
Change History (3)
comment:1 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 10 years ago
Note:
See TracTickets
for help on using tickets.
I always have a problem with bind:
Here, We have:
$ sudo grep /etc/namedb /srv/named/etc/named.conf directory "/etc/namedb";after directory created,
error is gone:
Will not make any modification, regarding that, but wanted to communicate (for the second time).
Question: is that new link above some kind of a risk?