* Assertion failure in ISC BIND SIG query processing (CVE-2006-4095)
- Recursive servers
Queries for SIG records will trigger an assertion failure if more
than one RRset is returned. However exposure can be minimized by
restricting which sources can ask for recursion.
- Authoritative servers
If a nameserver is serving a RFC 2535 DNSSEC zone and is queried
for the SIG records where there are multiple RRsets, then the
named program will trigger an assertion failure when it tries
to construct the response.
* INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096)
It is possible to trigger an INSIST failure by sending enough
recursive queries such that the response to the query arrives after
all the clients waiting for the response have left the recursion
queue. However exposure can be minimized by restricting which sources
can ask for recursion.
ok'ed christos@
Highlights vs. 8.3.4
Maintenance release.
--- 8.3.5-REL released --- (Mon Jun 2 03:15:53 PDT 2003)
1540. [bug] remove potential memory leak from net_data_create().
1537. [bug] dig buffer overrun with large command lines.
1535. [bug] winnt: large zone transfers failed.
1536. [cleanup] use NS_MAXMSG to define TCP buffers.
1534. [func] The advertised EDNS UDP buffer size can now be set
via named.conf (edns-udp-size).
1533. [bug] don't artificially restrict the update message size.
1532. [bug] use maximum sized answer buffers in res_findzonecut().
1530. [bug] nslookup computed incorrect reverse lookup for IPv6.
1529. [lint] unused variable in dnsquery.c::main().
1528. [bug] getaddrinfo() incorrectly rejected a numeric service
under certian circumstances.
1527. [proto] add ns_t_apl (42).
1526. [doc] res_{get,set}servers().
1523. [bug] getipnodebyname with AI_ADDRCONFIG set was broken
on HPUX 11.11. Detect IPv6 interfaces under linux.
1519. [port] decunix: conflicting setnetgrent() and innetgr()
prototypes.
1518. [cleanup] silence "No root nameservers for class XX" when
"forward only;" is set in options.
1517. [cleanup] stop using putshort/putlong internally.
1513. [bug] use ipnodes.{byname,byaddr} for IPv6 NIS lookups.
Add support for "YP_MULTI_".
1511. [cleanup] don't use argument names in function prototypes.
1510. [port] openbsd uses /bsd not /kernel.
1506. [bug] named could sometimes set tc incorrectly.
1505. [bug] potential overflow if pointer arithmetic wrapped.
1503. [bug] named could make unnecessary queries for glue if the
additional section was full.
1501. [port] decunix: OSF 3.2 does not have native 64 bit support.
1500. [port] linux: namespace collision.
1499. [port] linux: #include <time.h> bin/dig/dig.c
1498. [bug] ns_makecanon() could under read its destination buffer
by one character and fail to properly canonicalise.
1497. [bug] res_mkupdate() used compression pointers when it
shouldn't.
1496. [bug] res_mkupdate() didn't support NAPTR.
1494. [bug] memory leak on thread destruction if gethostbyname() /
getnetbyname() have been called by the thread.
1493. [bug] check scope for link local servers.
1492. [placeholder]
1491. [cleanup] indentation problems.
1490. [bug] the seek offset was miscalculated when truncating
the ixfr log.
1489. [func] named no longer queries for missing additional A6
records.
1488. [port] decunix: TruCluster support.
See port/decunix/TruCluster.
1487. [bug] getnetgroup() takes (char **) not (const char **).
1486. [func] res_query() now generates more/better debug on failure
1485. [func] res_send() records the nameserver the response came
from. Dig retrieves this rather than reporting the
first address.
1484. [bug] dig use sin.sin_port for IPv4.
1483. [bug] nslookup could dereference a NULL pointer under certain
circumstances.
1482. [bug] provide local storage for localtime_r result.
1481. [bug] tv.tv_sec and time_t are not always the same type.
1480. [bug] gethostbyname(), getaddrinfo() could drop address
if the previous call contained one of the new
addresses.
1479. [func] try known lame servers if all other servers have
failed.
1478. [cleanup] libbind: don't look for A6 records, don't follow
DNAME record (use the CNAMES), remove some bitstring
related functions.
1477. [cleanup] libbind: namespace cleanup (irs_* to __irs*,
dst_* to __dst_* and tree_* to __tree*)
1476. [bug] dig wasn't using a random query id.
1475. [bug] "query-source address <listening interface> port *"
failed to use a system assigned port as documented.
1474. [bug] named wasn't seeing cached NODATA CNAME records.
1473. [bug] nslookup: buffer overrun when looking up reverse
IPv6 addresses under IP6.INT when not found under
IP6.ARPA.
1472. [port] freebsd; current has pselect().
1471. [port] 'dig -P' failed on some platforms.
1470. [bug] J.ROOT-SERVERS.NET is now 192.58.128.30.
1467. [deleted]
1461. [func] return referrals for glue (NS/A/AAAA) if recursion is
disabled (recursion no;).
1460. [bug] NS_MD5RSA_MAX_BITS was not correct.
1459. [bug] ns_sign2() could fail to compute a correct signature
if the TSIG ownername was compressed.
1458. [bug] host: spurious "Unknown algorithm" message with default
zone listing. missing white space before '(' in SOA
format.
1457. [bug] bison didn't like ns_parser.y.
1456. [doc] document auth-nxdomain default is "no" (see # 524).
1455. [bug] named failed to allow a cached NODATA response for
a ANY query to be retrieved.
1454. [contrib] nsverifier from Bob.Whelton@qwest.com.
1453. [bug] SOA answers should only be cached for the current
tick.
1452. [bug] don't cache -ve response SOA record.
1451. [port] bsdos: maybe_fix_includes is not required.
1450. [bug] hint zones don't need to be reloaded when a "child"
zone is removed.
1449. [bug] it was possible to orphan glue records. this could
lead to panics in stale().
1438. [bug] glue from a parent zone beneath a child zone could
be deleted by loading a child zone.
1437. [bug] linux: probe_ipv6 was broken.
1436. [port] decunix: update sys/bitypes.h
1435. [func] named-xfer: log the zone name when reporting query
sent.
1434. [doc] the man page for dn_expand failed to document eomorig.
1433. [lint] remove unused variable.
1432. [func] log TSIG key name if used with zone transfer.
1431. [func] new category "update-security".
1430. [func] libbind: the default nameservers now include ::1/::
as well as 127.0.0.1/0.0.0.0 if none are specified in
resolv.conf.
1429. [port] libbind: use strlcat/strlcpy if available.
1428. [port] eventlib.c: cast tv_sec to long when calling *printf().
1427. [func] define INT8SZ
1426. [port] res_dprintf() now supports format checking w/ gcc.
1425. [bug] 'aa' was not being set appropriately with cross zone
CNAMES.
1424. [cleanup] ip6_str2scopeid() now returns u_int32_t.
1423. [bug] 'ndc restart' could fail to restart named if there
were no arguments to named.
1422. [cleanup] optarg() etc. are declared in unistd.h.
1421. [bug] clear and check errno when calling strtoul().
1420. [cleanup] use %p instead of %#x for printing pointers.
1419. [cleanup] getinfo(): kill buflen manipulation.
1418. [port] cast pointers to (size_t) when aligning.
1417. [cleanup] make1101inaddr(): kill size manipulation.
1416. [port] log_vwrite() now supports format checking w/ gcc.
1415. [port] irix: probe for in6addr_any.
1414. [bug] strtoul() cast (char*) to (unsigned char*).
1413. [bug] host: soa values are not signed.
1412. [bug] fix numeric port range check in getaddrinfo().
1411. [port] freebsd/netbsd/openbsd: #define USE_IFNAMELINKID.
1410. [port] probe for sin6_scope_id when probing for IPv6 structs.
1409. [bug] dig: reverse6 computed a incorrect nibble string.
1408. [cleanup] res_mkquery.c: kill buflen manipulation.
1407. [port] namespace clash EV_ERR -> EV_SETERR
christos