Security fixes:
CVE-2017-9233 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
[MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
d4f735b88d9932bd5039df2335eefdd0723dbe20
(Fixed version of existing downstream patches!)
(SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names; commits
* 896b6c1fd3b842f377d1b62135dccf0a579cf65d
* af507cef2c93cb8d40062a0abe43a4f4e9158fb2
#16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
#25 More integer overflow detection (function poolGrow); commits
* 810b74e4703dcfdd8f404e3cb177d44684775143
* 44178553f3539ce69d34abee77a05e879a7982ac
[MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
* 4be2cb5afcc018d996f34bbbce6374b7befad47f
* 7e5b71b748491b6e459e5c9a1d090820f94544d8
[MOX-005] #30 Use high quality entropy for hash initialization:
* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI
* RtlGenRandom on Windows XP / Server 2003 and later
* getrandom on Linux 3.17+
In a way, that's still part of CVE-2016-5300.
https://github.com/libexpat/libexpat/pull/30/commits
[MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak, commit
04ad658bd3079dd15cb60fc67087900f0ff4b083
[MOX-003] Prevent use of uninitialised variable; commit
[MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
[MOX-006] * NULL checks; commits
* d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
* 9ed727064b675b7180c98cb3d4f75efba6966681
* 6a747c837c50114dfa413994e07c0ba477be4534
* Negative length (XML_Parse); commit
[MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
[MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
to go further with fixing CVE-2012-0876.
https://github.com/libexpat/libexpat/pull/39/commits
Bug fixes:
#32 Fix sharing of hash salt across parsers;
relevant where XML_ExternalEntityParserCreate is called
prior to XML_Parse, in particular (e.g. FBReader)
#28 xmlwf: Auto-disable use of memory-mapping (and parsing
as a single chunk) for files larger than ~1 GB (2^30 bytes)
rather than failing with error "out of memory"
#3 Fix double free after malloc failure in DTD code; commit
7ae9c3d3af433cd4defe95234eae7dc8ed15637f
#17 Fix memory leak on parser error for unbound XML attribute
prefix with new namespaces defined in the same tag;
found by Google's OSS-Fuzz; commits
* 16f87daae5a16132e479e4f71862128c7a915c73
* b47dbc9745932c160893d433220e462bd605f8cd
xmlwf on Windows: Add missing calls to CloseHandle
New features:
#30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
for runtime debugging of entropy extraction
Other changes:
Increase code coverage
#33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
XML_UNICODE_WCHAR_T was never meant to be used outside
of Windows; 4-byte wchar_t is common on Linux
(SF.net) #538 Start using -fno-strict-aliasing
(SF.net) #540 Support compilation against cloudlibc of CloudABI
Allow MinGW cross-compilation
(SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default)
to bypass compilation of the xmlwf.1 man page
(SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default)
to bypass installation of expat files
CMake: Fix ninja support
Autotools: Add parameters --enable-xml-context [COUNT]
and --disable-xml-context; default of context of 1024
bytes enabled unchanged
#14 Drop AmigaOS 4.x code and includes
#14 Drop ancient build systems:
* Borland C++ Builder
* OpenVMS
* Open Watcom
* Visual Studio 6.0
* Pre-X Mac OS (MPW Makefile)
If you happen to rely on some of these, please get in
touch for joining with maintenance.
#10 Move from WIN32 to _WIN32
#13 Fix "make run-xmltest" order instability
Address compile warnings
Bump version info from 7:2:6 to 7:3:6
Add AUTHORS file
Infrastructure:
#1 Migrate from SourceForge to GitHub (except downloads):
https://github.com/libexpat/#1 Re-create http://libexpat.org/ project website
Start utilizing Travis CI
Special thanks to:
Andy Wang
Don Lewis
Ed Schouten
Karl Waclawek
Pascal Cuoq
Rhodri James
Sergei Nikulov
Tobias Taschner
Viktor Szakats
and
Core Infrastructure Initiative
Mozilla Foundation (MOSS Track 3: Secure Open Source)
Radically Open Security
4632. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
4631. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]
4581. [port] Linux: Add getpid and getrandom to the list of system
calls named uses for seccomp. [RT #44883]
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
4571. [bug] Out-of-tree builds of backtrace_test failed.
4570. [cleanup] named did not correctly fall back to the built-in
initializing keys if the bind.keys file was present
but empty. [RT #44531]
4568. [contrib] Added a --with-bind option to the dnsperf configure
script to specify BIND prefix path.
4567. [port] Call getprotobyname and getservbyname prior to calling
chroot so that shared libraries get loaded. [RT #44537]
4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]
4563. [bug] Modified zones would occasionally fail to reload.
[RT #39424]
4561. [port] Silence a warning in strict C99 compilers. [RT #44414]
4560. [bug] mdig: add -m option to enable memory debugging rather
than having it on all the time. [RT #44509]
4559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES
was turned off. [RT #44509]
4554. [bug] Remove double unlock in dns_dispatchmgr_setudp.
[RT #44336]
4553. [bug] Named could deadlock there were multiple changes to
NSEC/NSEC3 parameters for a zone being processed at
the same time. [RT #42770]
4552. [bug] Named could trigger a assertion when sending notify
messages. [RT #44019]
4551. [test] Add system tests for integrity checks of MX and
SRV records. [RT #43953]
4550. [cleanup] Increased the number of available master file
output style flags from 32 to 64. [RT #44043]
4547. [port] Add support for --enable-native-pkcs11 on the AEP
Keyper HSM. [RT #42463]
4543. [bug] dns_client_startupdate now delays sending the update
request until isc_app_ctxrun has been called.
[RT #43976]
4541. [bug] rndc addzone should properly reject non master/slave
zones. [RT #43665]
4539. [bug] Referencing a nonexistent zone with RPZ could lead
to a assertion failure when configuring. [RT #43787]
4538. [bug] Call dns_client_startresolve from client->task.
[RT #43896]
4537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576]
4536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
when reusing the event structure. [RT #43885]
4535. [bug] Address race condition in setting / testing of
DNS_REQUEST_F_SENDING. [RT #43889]
4534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879]
4533. [bug] dns_client_update should terminate on prerequisite
failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
and also on BADZONE. [RT #43865]
4532. [contrib] Make gen-data-queryperf.py python 3 compatible.
[RT #43836]
4529. [cleanup] Silence noisy log warning when DSCP probe fails
due to firewall rules. [RT #43847]
4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
4526. [doc] Corrected errors and improved formatting of
grammar definitions in the ARM. [RT #43739]
4525. [doc] Fixed outdated documentation on managed-keys.
[RT #43810]
4524. [bug] The net zero test was broken causing IPv4 servers
with addresses ending in .0 to be rejected. [RT #43776]
4523. [doc] Expand config doc for <querysource4> and
<querysource6>. [RT #43768]
4522. [bug] Handle big gaps in log file version numbers better.
[RT #38688]
4521. [cleanup] Log it as an error if an entropy source is not
found and there is no fallback available. [RT #43659]
4520. [cleanup] Alphabetize more of the grammar when printing it
out. [RT #43755]
4516. [bug] isc_socketmgr_renderjson was missing from the
windows build. [RT #43602]
4515. [port] FreeBSD: Find readline headers when they are in
edit/readline/ instead of readline/. [RT #43658]
4513. [cleanup] Minimum Python versions are now 2.7 and 3.2.
[RT #43566]
4512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in.
[RT #43556]
4509. [test] Make the rrl system test more reliable on slower
machines by using mdig instead of dig. [RT #43280]
4507. [bug] Named could incorrectly log 'allows updates by IP
address, which is insecure' [RT #43432]
4505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494]
4504. [security] Allow the maximum number of records in a zone to
be specified. This provides a control for issues
raised in CVE-2016-6170. [RT #42143]
4503. [cleanup] "make uninstall" now removes files installed by
BIND. (This currently excludes Python files
due to lack of support in setup.py.) [RT #42912]
4502. [func] Report multiple and experimental options when printing
grammar. [RT #43134]
4500. [bug] Support modifier I64 in isc__print_printf. [RT #43526]
4499. [port] MacOSX: silence deprecated function warning
by using arc4random_stir() when available
instead of arc4random_addrandom(). [RT #43503]
4498. [test] Simplify prerequisite checks in system tests.
[RT #43516]
4497. [port] Add support for OpenSSL 1.1.0. [RT #41284]
4496. [func] dig: add +idnout to control whether labels are
display in punycode or not. Requires idn support
to be enabled at compile time. [RT #43398]
4494. [bug] Look for <editline/readline.h>. [RT #43429]
4492. [bug] irs_resconf_load failed to initialize sortlistnxt
causing bad writes if resolv.conf contained a
sortlist directive. [RT #43459]
4491. [bug] Improve message emitted when testing whether sendmsg
works with TOS/TCLASS fails. [RT #43483]
4490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
4489. [security] It was possible to trigger assertions when processing
a response containing a DNAME answer. (CVE-2016-8864)
[RT #43465]
4488. [port] Darwin: use -framework for Kerberos. [RT #43418]
4487. [test] Make system tests work on Windows. [RT #42931]
4486. [bug] Look in $prefix/lib/pythonX.Y/site-packages for
the python modules we install. [RT #43330]
4485. [bug] Failure to find readline when requested should be
fatal to configure. [RT #43328]
4484. [func] Check prefixes in acls to make sure the address and
prefix lengths are consistent. Warn only in
BIND 9.11 and earlier. [RT #43367]
4483. [bug] Address use before require check and remove extraneous
dns_message_gettsigkey call in dns_tsig_sign.
[RT #43374]
4476. [test] Fix reclimit test on slower machines. [RT #43283]
4475. [doc] Update named-checkconf documentation. [RT #43153]
4474. [bug] win32: call WSAStartup in fromtext_in_wks so that
getprotobyname and getservbyname work. [RT #43197]
4473. [bug] Only call fsync / _commit on regular files. [RT #43196]
4472. [bug] Named could fail to find the correct NSEC3 records when
a zone was updated between looking for the answer and
looking for the NSEC3 records proving nonexistence
of the answer. [RT #43247]
4471. [cleanup] Revert a query logging change inadvertently
backported from 9.11. [RT #43238]
4467. [security] It was possible to trigger an assertion when
rendering a message. (CVE-2016-2776) [RT #43139]
4466. [bug] Interface scanning didn't work on a Windows system
without a non local IPv6 addresses. [RT #43130]
4464. [bug] Fix windows python support. [RT #43173]
4461. [bug] win32: not all external data was properly marked
as external data for windows dll. [RT #43161]
4458. [cleanup] Update assertions to be more correct, and also remove
use of a reserved word. [RT #43090]
4457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
4456. [doc] Add DOCTYPE and lang attribute to <html> tags.
[RT #42587]
4453. [bug] Prefetching of DS records failed to update their
RRSIGs. [RT #42865]
4451. [cleanup] Log more useful information if a PKCS#11 provider
library cannot be loaded. [RT #43076]
4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]
4448. [bug] win32: ::1 was not being found when iterating
interfaces. [RT #42993]
4446. [bug] The cache_find() and _findrdataset() functions
could find rdatasets that had been marked stale.
[RT #42853]
4445. [cleanup] isc_errno_toresult() can now be used to call the
formerly private function isc__errno2result().
[RT #43050]
4443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
TCP sockets. [RT #42864]
4442. [bug] Fix RPZ CIDR tree insertion bug that corrupted
tree data structure with overlapping networks
(longest prefix match was ineffective).
[RT #43035]
4441. [cleanup] Alphabetize host's help output. [RT #43031]
4435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message
will not fit into a single IPv4 encapsulated IPv6
UDP packet when transmitted over a Ethernet link.
[RT #42871]
4434. [protocol] Return EDNS EXPIRE option for master zones in addition
to slave zones. [RT #43008]
4433. [cleanup] Report an error when passing an invalid option or
view name to "rndc dumpdb". [RT #42958]
4432. [test] Hide rndc output on expected failures in logfileconfig
system test. [RT #27996]
4431. [bug] named-checkconf now checks the rate-limit clause.
[RT #42970]
4430. [bug] Lwresd died if a search list was not defined.
Found by 0x710DDDD At Alibaba Security. [RT #42895]
4425. [bug] arpaname and named-rrchecker were not being installed
into ${prefix}/bin. [RT #42910]
4424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
4423. [maint] Added missing IPv6 address 2001:500:84::b for
B.ROOT-SERVERS.NET. [RT #42898]
4422. [port] Silence clang warnings in dig.c and dighost.c.
[RT #42451]
4418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879]
4414. [bug] Corrected a bug in the MIPS implementation of
isc_atomic_xadd(). [RT #41965]
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
was returned. [RT #42733]
4412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
removed. [RT #42721]
4409. [bug] DNS64 should exclude mapped addresses by default when
an exclude acl is not defined. [RT #42810]
4407. [performance] Use GCC builtin for clz in RPZ lookup code.
[RT #42818]
4406. [security] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry
4404. [misc] Allow krb5-config to be used when configuring gssapi.
[RT #42580]
4403. [bug] Rename variables and arguments that shadow: basename,
clone and gai_error.
4397. [bug] Update Windows python support. [RT #42538]
4395. [bug] Improve out-of-tree installation of python modules.
[RT #42586]
4384. [bug] Change 4256 accidentally disabled logging of the
rndc command. [RT #42654]
4379. [bug] An INSIST could be triggered if a zone contains
RRSIG records with expiry fields that loop
using serial number arithmetic. [RT #40571]
4378. [contrib] #include <isc/string.h> for strlcat in zone2ldap.c.
[RT #42525]
4377. [bug] Don't reuse zero TTL responses beyond the current
client set (excludes ANY/SIG/RRSIG queries).
[RT #42142]
4374. [bug] Use SAVE/RESTORE macros in query.c to reduce the
probability of reference counting errors as seen
in 4365. [RT #42405]
4373. [bug] Address undefined behavior in getaddrinfo. [RT #42479]
4372. [bug] Address undefined behavior in libt_api. [RT #42480]
4369. [bug] Fix 'make' and 'make install' out-of-tree python
support. [RT #42484]
4367. [bug] Remove unnecessary assignment of loadtime in
zone_touched. [RT #42440]
4361. [cleanup] Where supported, file modification times returned
by isc_file_getmodtime() are now accurate to the
nanosecond. [RT #41968]
4360. [bug] Silence spurious 'bad key type' message when there is
a existing TSIG key. [RT #42195]
4359. [bug] Inherited 'also-notify' lists were not being checked
by named-checkconf. [RT #42174]
4354. [bug] Check that the received HMAC length matches the
expected length prior to check the contents on the
control channel. This prevents a OOB read error.
This was reported by Lian Yihan, <lianyihan@360.cn>.
[RT #42215]
4353. [cleanup] Update PKCS#11 header files. [RT #42175]
4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service
is scheduled to be disabled in 2017. A warning is
now logged when named is configured to use it,
either explicitly or via "dnssec-lookaside auto;"
[RT #42207]
4351. [bug] 'dig +noignore' didn't work. [RT #42273]
4350. [contrib] Declare result in dlz_filesystem_dynamic.c.
4348. [cleanup] Refactor dnssec-coverage and dnssec-checkds
functionality into an "isc" python module. [RT #39211]
4013. [func] Add a new tcp-only option to server (config) /
peer (struct) to use TCP transport to send
queries (in place of UDP transport with a
TCP fallback on truncated (TC set) response).
[RT #37800]
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/
1. Add PAM support.
2. Sanitize children process reaping
3. futimens when we have an fd
4. close_all for crontab(8)
5. use a table for spool dirs instead of duplicating code.
6. handle errors from process_exit()
7. Add ENABLE_FIX_DIRECTORIES ifdef and enable it by default for compat
8. Avoid using fd's < STDERR
Not applied:
1. no xfork (no setresuid)
2. did not do the lstat before open.
3. did not enable cron group
Installation (install.ram, -Os) on my VS4000 is possible without SCSI timeouts
again.
Other variable-length bit field instructions should be checked for correct
constraints, too!
While it fixed the problem of trailing spaces, but if the probe specifier
contained leading spaces, it would brake dtrace. The proper fix would be
to skip the leading spaces in the string as well.
However, it would result in a bigger diff for a very small benefit. While
a new import of dtrace is impending, it's better not to have this change.
Discussed with christos.
When using dtrace using one of the tracing options, such as -n, -P, -i, -f etc.,
the first line of output from dtrace one is something like this:
sudo dtrace -n 'syscall:::entry /pid == 100/ {@num[probefunc] = count();}'
dtrace: description 'syscall:::entry ' matched 482 probes
There is a trailing space at the end of the probe specifier name ('syscall:::entry ').
This happens beucase dtrace tries to separate the probe name from the predicate and actions
using `{' and `/' as the separators but doesn't consider space also as a possible separator.
Output after this change:
sudo dtrace -n 'syscall:::entry /pid == 100/ {@num[probefunc] = count();}'
dtrace: description 'syscall:::entry' matched 482 probes
ok christos@
This version of dhcrelay(8) needed to stay inforeground with -d flag in
order to service requests. Running inbackground turned it deaf to DHCP
requests.
This was caused by wrong kqueue(2) usage, where kevent(2) was used with
a file descriptor obtained by a kqueue(2) call done before fork(2).
kqueue(2) man page says "The queue is not inherited by a child created
with fork(2)". As a result, kevent(2) calls always got EBADF.
The fix is to reorder function calls in dhcrelay(8) main() function.
dhcp_context_create(), which causes kqueue(2) to be invoked, is
moved with its dependencies after fork(2). This matches the code layout
of dhclient(8) and dhcpd(8), which do not have the bug.
The fix was not submitted upstream since latest ISC DHCP code was
refactored and does not have the bug anymore.
VOP_RECLAIM naturally has exclusive access to the vnode, so having it
locked on entry is not strictly necessary -- but it means if there
are any final operations that must be done on the vnode, such as
ffs_update, requiring exclusive access to it, we can now kassert that
the vnode is locked in those operations.
We can't just have the caller release the last lock because some file
systems don't use genfs_lock, and require the vnode to remain valid
for VOP_UNLOCK to work, notably unionfs.
