Pull up following revision(s) (requested by snj in ticket #1348):
doc/3RDPARTY: 1.1397 via patch external/bsd/bind/Makefile.inc: up to 1.24 via patch external/bsd/bind/dist/CHANGES: up to 1.24 external/bsd/bind/dist/README: up to 1.12 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-ls delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-signer delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-ls delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-signer delete external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.19 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.12 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.10 external/bsd/bind/dist/lib/dns/api: up to 1.12 external/bsd/bind/dist/lib/dns/message.c: up to 1.21 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.28 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.21 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.20 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.12 external/bsd/bind/dist/srcid: up to 1.18 external/bsd/bind/dist/version: up to 1.22 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch Update BIND to 9.10.4-P5, fixing CVE-2016-9131, CVE-2016-9147, and CVE-2016-9444.
This commit is contained in:
parent
fc3e589919
commit
3fea59b89e
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.11 2016/12/14 08:21:38 snj Exp $
|
||||
# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.12 2017/01/16 11:56:45 martin Exp $
|
||||
#
|
||||
# This file contains a list of the software that has been integrated into
|
||||
# NetBSD where we are not the primary maintainer.
|
||||
|
@ -113,8 +113,8 @@ Notes:
|
|||
bc includes dc, both of which are in the NetBSD tree.
|
||||
|
||||
Package: bind [named and utils]
|
||||
Version: 9.10.4-P4
|
||||
Current Vers: 9.10.4-P4
|
||||
Version: 9.10.4-P5
|
||||
Current Vers: 9.10.4-P5
|
||||
Maintainer: Paul Vixie <vixie@vix.com>
|
||||
Archive Site: ftp://ftp.isc.org/isc/bind9/
|
||||
Home Page: http://www.isc.org/software/bind/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: Makefile.inc,v 1.21.2.1.2.2 2016/11/05 17:47:30 martin Exp $
|
||||
# $NetBSD: Makefile.inc,v 1.21.2.1.2.3 2017/01/16 11:56:42 martin Exp $
|
||||
|
||||
.if !defined(BIND9_MAKEFILE_INC)
|
||||
BIND9_MAKEFILE_INC=yes
|
||||
|
|
|
@ -1,3 +1,27 @@
|
|||
--- 9.10.4-P5 released ---
|
||||
|
||||
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
|
||||
in responses resulting in SERVFAIL being returned.
|
||||
[RT #43779]
|
||||
|
||||
4528. [bug] Only set the flag bits for the i/o we are waiting
|
||||
for on EPOLLERR or EPOLLHUP. [RT #43617]
|
||||
|
||||
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
|
||||
|
||||
4517. [security] Named could mishandle authority sections that were
|
||||
missing RRSIGs triggering an assertion failure.
|
||||
(CVE-2016-9444) [RT # 43632]
|
||||
|
||||
4510. [security] Named mishandled some responses where covering RRSIG
|
||||
records are returned without the requested data
|
||||
resulting in a assertion failure. (CVE-2016-9147)
|
||||
[RT #43548]
|
||||
|
||||
4508. [security] Named incorrectly tried to cache TKEY records which
|
||||
could trigger a assertion failure when there was
|
||||
a class mismatch. (CVE-2016-9131) [RT #43522]
|
||||
|
||||
--- 9.10.4-P4 released ---
|
||||
|
||||
4489. [security] It was possible to trigger assertions when processing
|
||||
|
|
|
@ -51,6 +51,11 @@ BIND 9
|
|||
For up-to-date release notes and errata, see
|
||||
http://www.isc.org/software/bind9/releasenotes
|
||||
|
||||
BIND 9.10.4-P5
|
||||
|
||||
This version contains fixes for CVE-2016-9131, CVE-2016-9147,
|
||||
CVE-2016-9444 and CVE-2016-9778.
|
||||
|
||||
BIND 9.10.4-P4
|
||||
|
||||
This version contains a fix for CVE-2016-8864.
|
||||
|
|
|
@ -29,4 +29,6 @@ a.short A 10.0.0.1
|
|||
short-dname DNAME short
|
||||
a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
|
||||
long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
|
||||
;
|
||||
cname CNAME a.cnamedname
|
||||
cnamedname DNAME target
|
||||
a.target A 10.0.0.3
|
||||
|
|
|
@ -63,6 +63,24 @@ grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
|
|||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking cname to dname from authoritative"
|
||||
ret=0
|
||||
$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
|
||||
grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking cname to dname from recursive"
|
||||
ret=0
|
||||
$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
|
||||
grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
|
||||
grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
|
||||
grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
|
||||
grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
|
||||
grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
|
||||
exit $status
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Shell script to start the zkt-ls command
|
||||
# out of the example directory
|
||||
#
|
||||
|
||||
if test ! -f dnssec.conf
|
||||
then
|
||||
echo Please start this skript out of the flat or hierarchical sub directory
|
||||
exit 1
|
||||
fi
|
||||
ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@"
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Shell script to start the zkt-signer
|
||||
# command out of the example directory
|
||||
#
|
||||
|
||||
if test ! -f dnssec.conf
|
||||
then
|
||||
echo Please start this skript out of the flat or hierarchical sub directory
|
||||
exit 1
|
||||
fi
|
||||
ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@"
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Shell script to start the zkt-ls command
|
||||
# out of the example directory
|
||||
#
|
||||
|
||||
if test ! -f dnssec.conf
|
||||
then
|
||||
echo Please start this skript out of the flat or hierarchical sub directory
|
||||
exit 1
|
||||
fi
|
||||
ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@"
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Shell script to start the zkt-signer
|
||||
# command out of the example directory
|
||||
#
|
||||
|
||||
if test ! -f dnssec.conf
|
||||
then
|
||||
echo Please start this skript out of the flat or hierarchical sub directory
|
||||
exit 1
|
||||
fi
|
||||
ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@"
|
|
@ -555,6 +555,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -153,6 +153,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -669,6 +669,6 @@ controls {
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -2326,6 +2326,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -138,6 +138,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -12845,6 +12845,6 @@ HOST-127.EXAMPLE. MX 0 .
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -248,6 +248,6 @@ zone "example.com" {
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -134,6 +134,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -44,7 +44,7 @@
|
|||
<div class="toc">
|
||||
<p><b>Table of Contents</b></p>
|
||||
<dl class="toc">
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P4</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P5</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
|
||||
|
@ -60,13 +60,17 @@
|
|||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P4</h2></div></div></div>
|
||||
<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P5</h2></div></div></div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
|
||||
<p>
|
||||
This document summarizes changes since BIND 9.10.4:
|
||||
</p>
|
||||
<p>
|
||||
BIND 9.10.4-P5 addresses the security issues described in
|
||||
CVE-2016-9131, CVE-2016-9147 and CVE-2016-9444.
|
||||
</p>
|
||||
<p>
|
||||
BIND 9.10.4-P4 addresses the security issue described in
|
||||
CVE-2016-8864.
|
||||
|
@ -102,6 +106,22 @@
|
|||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem"><p>
|
||||
Named could mishandle authority sections that were missing
|
||||
RRSIGs triggering an assertion failure. This flaw is
|
||||
disclosed in CVE-2016-9444. [RT # 43632]
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
Named mishandled some responses where covering RRSIG
|
||||
records are returned without the requested data
|
||||
resulting in a assertion failure. This flaw is disclosed in
|
||||
CVE-2016-9147. [RT #43548]
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
Named incorrectly tried to cache TKEY records which could
|
||||
trigger a assertion failure when there was a class mismatch.
|
||||
This flaw is disclosed in CVE-2016-9131. [RT #43522]
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
It was possible to trigger assertions when processing
|
||||
a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]
|
||||
|
@ -198,6 +218,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -155,6 +155,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -497,6 +497,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -543,6 +543,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -154,6 +154,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
<div>
|
||||
<div><h1 class="title">
|
||||
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
|
||||
<div><p class="releaseinfo">BIND Version 9.10.4-P4</p></div>
|
||||
<div><p class="releaseinfo">BIND Version 9.10.4-P5</p></div>
|
||||
<div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
|
||||
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
|
||||
</div>
|
||||
|
@ -239,7 +239,7 @@
|
|||
</dl></dd>
|
||||
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P4</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P5</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
|
||||
|
@ -385,6 +385,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -81,6 +81,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -185,6 +185,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -498,6 +498,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -809,6 +809,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -112,6 +112,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -219,6 +219,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -213,6 +213,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -177,6 +177,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -381,6 +381,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -455,6 +455,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -134,6 +134,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -264,6 +264,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -564,6 +564,6 @@ db.example.com.signed
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -164,6 +164,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -102,6 +102,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -247,6 +247,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -112,6 +112,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -253,6 +253,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -151,6 +151,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -338,6 +338,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -102,6 +102,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -104,6 +104,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -676,6 +676,6 @@ zone
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -369,6 +369,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -103,6 +103,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -663,6 +663,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -223,6 +223,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -246,6 +246,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -621,6 +621,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -21,13 +21,17 @@
|
|||
</head>
|
||||
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P4</h2></div></div></div>
|
||||
<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P5</h2></div></div></div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
|
||||
<p>
|
||||
This document summarizes changes since BIND 9.10.4:
|
||||
</p>
|
||||
<p>
|
||||
BIND 9.10.4-P5 addresses the security issues described in
|
||||
CVE-2016-9131, CVE-2016-9147 and CVE-2016-9444.
|
||||
</p>
|
||||
<p>
|
||||
BIND 9.10.4-P4 addresses the security issue described in
|
||||
CVE-2016-8864.
|
||||
|
@ -63,6 +67,22 @@
|
|||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem"><p>
|
||||
Named could mishandle authority sections that were missing
|
||||
RRSIGs triggering an assertion failure. This flaw is
|
||||
disclosed in CVE-2016-9444. [RT # 43632]
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
Named mishandled some responses where covering RRSIG
|
||||
records are returned without the requested data
|
||||
resulting in a assertion failure. This flaw is disclosed in
|
||||
CVE-2016-9147. [RT #43548]
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
Named incorrectly tried to cache TKEY records which could
|
||||
trigger a assertion failure when there was a class mismatch.
|
||||
This flaw is disclosed in CVE-2016-9131. [RT #43522]
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
It was possible to trigger assertions when processing
|
||||
a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]
|
||||
|
|
Binary file not shown.
|
@ -23,6 +23,10 @@
|
|||
<para>
|
||||
This document summarizes changes since BIND 9.10.4:
|
||||
</para>
|
||||
<para>
|
||||
BIND 9.10.4-P5 addresses the security issues described in
|
||||
CVE-2016-9131, CVE-2016-9147, CVE-2016-9444 and CVE-2016-9778.
|
||||
</para>
|
||||
<para>
|
||||
BIND 9.10.4-P4 addresses the security issue described in
|
||||
CVE-2016-8864.
|
||||
|
@ -57,6 +61,37 @@
|
|||
|
||||
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
A coding error in the <option>nxdomain-redirect</option>
|
||||
feature could lead to an assertion failure if the redirection
|
||||
namespace was served from a local authoritative data source
|
||||
such as a local zone or a DLZ instead of via recursive
|
||||
lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Named could mishandle authority sections that were missing
|
||||
RRSIGs triggering an assertion failure. This flaw is
|
||||
disclosed in CVE-2016-9444. [RT # 43632]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Named mishandled some responses where covering RRSIG
|
||||
records are returned without the requested data
|
||||
resulting in a assertion failure. This flaw is disclosed in
|
||||
CVE-2016-9147. [RT #43548]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Named incorrectly tried to cache TKEY records which could
|
||||
trigger a assertion failure when there was a class mismatch.
|
||||
This flaw is disclosed in CVE-2016-9131. [RT #43522]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
It was possible to trigger assertions when processing
|
||||
|
|
|
@ -6,5 +6,5 @@
|
|||
# 9.9-sub: 130-139, 150-159
|
||||
# 9.10: 140-149, 160-169
|
||||
LIBINTERFACE = 165
|
||||
LIBREVISION = 3
|
||||
LIBREVISION = 4
|
||||
LIBAGE = 0
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: message.c,v 1.13.2.2.2.2 2016/10/14 11:42:46 martin Exp $ */
|
||||
/* $NetBSD: message.c,v 1.13.2.2.2.3 2017/01/16 11:56:44 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
@ -1158,6 +1158,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
|
|||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
/*
|
||||
* Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
|
||||
* covering RRSIGs.
|
||||
*/
|
||||
static isc_boolean_t
|
||||
auth_signed(dns_namelist_t *section) {
|
||||
dns_name_t *name;
|
||||
|
||||
for (name = ISC_LIST_HEAD(*section);
|
||||
name != NULL;
|
||||
name = ISC_LIST_NEXT(name, link))
|
||||
{
|
||||
int auth_dnssec = 0, auth_rrsig = 0;
|
||||
dns_rdataset_t *rds;
|
||||
|
||||
for (rds = ISC_LIST_HEAD(name->list);
|
||||
rds != NULL;
|
||||
rds = ISC_LIST_NEXT(rds, link))
|
||||
{
|
||||
switch (rds->type) {
|
||||
case dns_rdatatype_ds:
|
||||
auth_dnssec |= 0x1;
|
||||
break;
|
||||
case dns_rdatatype_nsec:
|
||||
auth_dnssec |= 0x2;
|
||||
break;
|
||||
case dns_rdatatype_nsec3:
|
||||
auth_dnssec |= 0x4;
|
||||
break;
|
||||
case dns_rdatatype_rrsig:
|
||||
break;
|
||||
default:
|
||||
continue;
|
||||
}
|
||||
|
||||
switch (rds->covers) {
|
||||
case dns_rdatatype_ds:
|
||||
auth_rrsig |= 0x1;
|
||||
break;
|
||||
case dns_rdatatype_nsec:
|
||||
auth_rrsig |= 0x2;
|
||||
break;
|
||||
case dns_rdatatype_nsec3:
|
||||
auth_rrsig |= 0x4;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (auth_dnssec != auth_rrsig)
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
||||
dns_section_t sectionid, unsigned int options)
|
||||
|
@ -1183,12 +1240,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|||
best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
|
||||
seen_problem = ISC_FALSE;
|
||||
|
||||
section = &msg->sections[sectionid];
|
||||
|
||||
for (count = 0; count < msg->counts[sectionid]; count++) {
|
||||
int recstart = source->current;
|
||||
isc_boolean_t skip_name_search, skip_type_search;
|
||||
|
||||
section = &msg->sections[sectionid];
|
||||
|
||||
skip_name_search = ISC_FALSE;
|
||||
skip_type_search = ISC_FALSE;
|
||||
free_rdataset = ISC_FALSE;
|
||||
|
@ -1573,6 +1630,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|||
INSIST(free_rdataset == ISC_FALSE);
|
||||
}
|
||||
|
||||
/*
|
||||
* If any of DS, NSEC or NSEC3 appeared in the
|
||||
* authority section of a query response without
|
||||
* a covering RRSIG, FORMERR
|
||||
*/
|
||||
if (sectionid == DNS_SECTION_AUTHORITY &&
|
||||
msg->opcode == dns_opcode_query &&
|
||||
((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
|
||||
((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
|
||||
!preserve_order &&
|
||||
!auth_signed(section))
|
||||
DO_FORMERR;
|
||||
|
||||
if (seen_problem)
|
||||
return (DNS_R_RECOVERABLE);
|
||||
return (ISC_R_SUCCESS);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: resolver.c,v 1.19.2.3.2.3 2016/11/05 17:47:33 martin Exp $ */
|
||||
/* $NetBSD: resolver.c,v 1.19.2.3.2.4 2017/01/16 11:56:44 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
@ -5467,15 +5467,12 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
|
|||
rdataset->type,
|
||||
&noqname);
|
||||
if (tresult == ISC_R_SUCCESS &&
|
||||
noqname != NULL) {
|
||||
tresult =
|
||||
dns_rdataset_addnoqname(
|
||||
noqname != NULL)
|
||||
(void) dns_rdataset_addnoqname(
|
||||
rdataset, noqname);
|
||||
RUNTIME_CHECK(tresult ==
|
||||
ISC_R_SUCCESS);
|
||||
}
|
||||
}
|
||||
if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
|
||||
if ((fctx->options &
|
||||
DNS_FETCHOPT_PREFETCH) != 0)
|
||||
options = DNS_DBADD_PREFETCH;
|
||||
addedrdataset = ardataset;
|
||||
result = dns_db_addrdataset(fctx->cache, node,
|
||||
|
@ -5609,11 +5606,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
|
|||
tresult = findnoqname(fctx, name,
|
||||
rdataset->type, &noqname);
|
||||
if (tresult == ISC_R_SUCCESS &&
|
||||
noqname != NULL) {
|
||||
tresult = dns_rdataset_addnoqname(
|
||||
noqname != NULL)
|
||||
(void) dns_rdataset_addnoqname(
|
||||
rdataset, noqname);
|
||||
RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -6751,7 +6746,7 @@ static isc_result_t
|
|||
answer_response(fetchctx_t *fctx) {
|
||||
isc_result_t result;
|
||||
dns_message_t *message;
|
||||
dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
|
||||
dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
|
||||
dns_name_t *cname = NULL;
|
||||
dns_rdataset_t *rdataset, *ns_rdataset;
|
||||
isc_boolean_t done, external, chaining, aa, found, want_chaining;
|
||||
|
@ -6759,7 +6754,7 @@ answer_response(fetchctx_t *fctx) {
|
|||
isc_boolean_t wanted_chaining;
|
||||
unsigned int aflag;
|
||||
dns_rdatatype_t type;
|
||||
dns_fixedname_t fdname, fqname, fqdname;
|
||||
dns_fixedname_t fdname, fqname;
|
||||
dns_view_t *view;
|
||||
|
||||
FCTXTRACE("answer_response");
|
||||
|
@ -6783,13 +6778,12 @@ answer_response(fetchctx_t *fctx) {
|
|||
aa = ISC_TRUE;
|
||||
else
|
||||
aa = ISC_FALSE;
|
||||
dqname = qname = &fctx->name;
|
||||
qname = &fctx->name;
|
||||
type = fctx->type;
|
||||
view = fctx->res->view;
|
||||
dns_fixedname_init(&fqdname);
|
||||
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
|
||||
while (!done && result == ISC_R_SUCCESS) {
|
||||
dns_namereln_t namereln, dnamereln;
|
||||
dns_namereln_t namereln;
|
||||
int order;
|
||||
unsigned int nlabels;
|
||||
|
||||
|
@ -6797,8 +6791,6 @@ answer_response(fetchctx_t *fctx) {
|
|||
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
|
||||
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
|
||||
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
|
||||
dnamereln = dns_name_fullcompare(dqname, name, &order,
|
||||
&nlabels);
|
||||
if (namereln == dns_namereln_equal) {
|
||||
wanted_chaining = ISC_FALSE;
|
||||
for (rdataset = ISC_LIST_HEAD(name->list);
|
||||
|
@ -6815,6 +6807,19 @@ answer_response(fetchctx_t *fctx) {
|
|||
log_formerr(fctx, "NSEC3 in answer");
|
||||
return (DNS_R_FORMERR);
|
||||
}
|
||||
if (rdataset->type == dns_rdatatype_tkey) {
|
||||
/*
|
||||
* TKEY is not a valid record in a
|
||||
* response to any query we can make.
|
||||
*/
|
||||
log_formerr(fctx, "TKEY in answer");
|
||||
return (DNS_R_FORMERR);
|
||||
}
|
||||
if (rdataset->rdclass != fctx->res->rdclass) {
|
||||
log_formerr(fctx, "Mismatched class "
|
||||
"in answer");
|
||||
return (DNS_R_FORMERR);
|
||||
}
|
||||
|
||||
/*
|
||||
* Apply filters, if given, on answers to reject
|
||||
|
@ -6923,15 +6928,19 @@ answer_response(fetchctx_t *fctx) {
|
|||
* a CNAME or DNAME).
|
||||
*/
|
||||
INSIST(!external);
|
||||
if ((rdataset->type !=
|
||||
dns_rdatatype_cname) ||
|
||||
!found_dname ||
|
||||
(aflag ==
|
||||
DNS_RDATASETATTR_ANSWER))
|
||||
/*
|
||||
* Don't use found_cname here
|
||||
* as we have just set it
|
||||
* above.
|
||||
*/
|
||||
if (cname == NULL &&
|
||||
!found_dname &&
|
||||
aflag ==
|
||||
DNS_RDATASETATTR_ANSWER)
|
||||
{
|
||||
have_answer = ISC_TRUE;
|
||||
if (rdataset->type ==
|
||||
dns_rdatatype_cname)
|
||||
if (found_cname &&
|
||||
cname == NULL)
|
||||
cname = name;
|
||||
name->attributes |=
|
||||
DNS_NAMEATTR_ANSWER;
|
||||
|
@ -7001,6 +7010,12 @@ answer_response(fetchctx_t *fctx) {
|
|||
rdataset != NULL;
|
||||
rdataset = ISC_LIST_NEXT(rdataset, link))
|
||||
{
|
||||
if (rdataset->rdclass != fctx->res->rdclass) {
|
||||
log_formerr(fctx, "Mismatched class "
|
||||
"in answer");
|
||||
return (DNS_R_FORMERR);
|
||||
}
|
||||
|
||||
/*
|
||||
* Only pass DNAME or RRSIG(DNAME).
|
||||
*/
|
||||
|
@ -7028,11 +7043,24 @@ answer_response(fetchctx_t *fctx) {
|
|||
return (DNS_R_FORMERR);
|
||||
}
|
||||
|
||||
if (dnamereln != dns_namereln_subdomain) {
|
||||
/*
|
||||
* If DNAME + synthetic CNAME then the
|
||||
* namereln is dns_namereln_subdomain.
|
||||
*
|
||||
* If synthetic CNAME + DNAME then the
|
||||
* namereln is dns_namereln_commonancestor
|
||||
* and the number of label must match the
|
||||
* DNAME. This order is not RFC compliant.
|
||||
*/
|
||||
|
||||
if (namereln != dns_namereln_subdomain &&
|
||||
(namereln != dns_namereln_commonancestor ||
|
||||
nlabels != dns_name_countlabels(name)))
|
||||
{
|
||||
char qbuf[DNS_NAME_FORMATSIZE];
|
||||
char obuf[DNS_NAME_FORMATSIZE];
|
||||
|
||||
dns_name_format(dqname, qbuf,
|
||||
dns_name_format(qname, qbuf,
|
||||
sizeof(qbuf));
|
||||
dns_name_format(name, obuf,
|
||||
sizeof(obuf));
|
||||
|
@ -7047,7 +7075,7 @@ answer_response(fetchctx_t *fctx) {
|
|||
want_chaining = ISC_TRUE;
|
||||
POST(want_chaining);
|
||||
aflag = DNS_RDATASETATTR_ANSWER;
|
||||
result = dname_target(rdataset, dqname,
|
||||
result = dname_target(rdataset, qname,
|
||||
nlabels, &fdname);
|
||||
if (result == ISC_R_NOSPACE) {
|
||||
/*
|
||||
|
@ -7064,13 +7092,11 @@ answer_response(fetchctx_t *fctx) {
|
|||
|
||||
dname = dns_fixedname_name(&fdname);
|
||||
if (!is_answertarget_allowed(view,
|
||||
dqname, rdataset->type,
|
||||
qname, rdataset->type,
|
||||
dname, &fctx->domain))
|
||||
{
|
||||
return (DNS_R_SERVFAIL);
|
||||
}
|
||||
dqname = dns_fixedname_name(&fqdname);
|
||||
dns_name_copy(dname, dqname, NULL);
|
||||
} else {
|
||||
/*
|
||||
* We've found a signature that
|
||||
|
@ -7216,7 +7242,8 @@ answer_response(fetchctx_t *fctx) {
|
|||
rdataset->trust =
|
||||
dns_trust_additional;
|
||||
|
||||
if (rdataset->type == dns_rdatatype_ns) {
|
||||
if (rdataset->type == dns_rdatatype_ns)
|
||||
{
|
||||
ns_name = name;
|
||||
ns_rdataset = rdataset;
|
||||
}
|
||||
|
|
|
@ -6,5 +6,5 @@
|
|||
# 9.9-sub: 130-139
|
||||
# 9.10: 140-149, 160-169
|
||||
LIBINTERFACE = 161
|
||||
LIBREVISION = 1
|
||||
LIBREVISION = 2
|
||||
LIBAGE = 1
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: socket.c,v 1.15.2.2.2.2 2016/10/14 11:42:50 martin Exp $ */
|
||||
/* $NetBSD: socket.c,v 1.15.2.2.2.3 2017/01/16 11:56:44 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
@ -4077,7 +4077,8 @@ process_fds(isc__socketmgr_t *manager, struct epoll_event *events, int nevents)
|
|||
* events. Note also that the read or write attempt
|
||||
* won't block because we use non-blocking sockets.
|
||||
*/
|
||||
events[i].events |= (EPOLLIN | EPOLLOUT);
|
||||
int fd = events[i].data.fd;
|
||||
events[i].events |= manager->epoll_events[fd];
|
||||
}
|
||||
process_fd(manager, events[i].data.fd,
|
||||
(events[i].events & EPOLLIN) != 0,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: socket.c,v 1.8.2.2.2.1 2016/10/14 11:42:50 martin Exp $ */
|
||||
/* $NetBSD: socket.c,v 1.8.2.2.2.2 2017/01/16 11:56:45 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
@ -2490,15 +2490,18 @@ SocketIoThread(LPVOID ThreadContext) {
|
|||
|
||||
request = lpo->request_type;
|
||||
|
||||
if (!bSuccess)
|
||||
errstatus = GetLastError();
|
||||
else
|
||||
errstatus = 0;
|
||||
if (!bSuccess) {
|
||||
if (!bSuccess && errstatus != ERROR_MORE_DATA) {
|
||||
isc_result_t isc_result;
|
||||
|
||||
/*
|
||||
* Did the I/O operation complete?
|
||||
*/
|
||||
errstatus = GetLastError();
|
||||
isc_result = isc__errno2resultx(errstatus, __FILE__, __LINE__);
|
||||
isc_result = isc__errno2resultx(errstatus,
|
||||
__FILE__, __LINE__);
|
||||
|
||||
LOCK(&sock->lock);
|
||||
CONSISTENT(sock);
|
||||
|
|
|
@ -1 +1 @@
|
|||
SRCID=853aa4b
|
||||
SRCID=2b12043
|
||||
|
|
|
@ -7,5 +7,5 @@ MAJORVER=9
|
|||
MINORVER=10
|
||||
PATCHVER=4
|
||||
RELEASETYPE=-P
|
||||
RELEASEVER=4
|
||||
RELEASEVER=5
|
||||
EXTENSIONS=
|
||||
|
|
Loading…
Reference in New Issue