diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index d9b6714eff2..6d1ee310999 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,15 +1,81 @@ - --- 9.8.3-P4 released --- + --- 9.8.4-P1 released --- + +3407. [security] Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + + --- 9.8.4 released --- 3383. [security] A certain combination of records in the RBT could cause named to hang while populating the additional section of a response. [RT #31090] - --- 9.8.3-P3 released --- +3373. [bug] win32: open raw files in binary mode. [RT #30944] 3364. [security] Named could die on specially crafted record. [RT #30416] - --- 9.8.3-P2 released --- + --- 9.8.4rc1 released --- + +3369. [bug] nsupdate terminated unexpectedly in interactive mode + if built with readline support. [RT #29550] + +3368. [bug] and were not C++ safe. + +3367. [bug] dns_dnsseckey_create() result was not being checked. + [RT #30685] + +3366. [bug] Fixed Read-After-Write dependency violation for IA64 + atomic operations. [RT #25181] + +3365. [bug] Removed spurious newlines from log messages in + zone.c [RT #30675] + +3363. [bug] Need to allow "forward" and "fowarders" options + in static-stub zones; this had been overlooked. + [RT #30482] + +3362. [bug] Setting some option values to 0 in named.conf + could trigger an assertion failure on startup. + [RT #27730] + +3360. [bug] 'host -w' could die. [RT #18723] + +3359. [bug] An improperly-formed TSIG secret could cause a + memory leak. [RT #30607] + +3357. [port] Add support for libxml2-2.8.x [RT #30440] + +3356. [bug] Cap the TTL of signed RRsets when RRSIGs are + approaching their expiry, so they don't remain + in caches after expiry. [RT #26429] + + --- 9.8.4b1 released --- + +3354. [func] Improve OpenSSL error logging. [RT #29932] + +3353. [bug] Use a single task for task exclusive operations. + [RT #29872] + +3352. [bug] Ensure that learned server attributes timeout of the + adb cache. [RT #29856] + +3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report + caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX + memory debugging flags are set. [RT #30243] + +3350. [bug] Memory read overrun in isc___mem_reallocate if + ISC_MEM_DEBUGCTX memory debugging flag is set. + [RT #30240] + +3348. [bug] Prevent RRSIG data from being cached if a negative + record matching the covering type exists at a higher + trust level. Such data already can't be retrieved from + the cache since change 3218 -- this prevents it + being inserted into the cache as well. [RT #26809] + +3347. [bug] dnssec-settime: Issue a warning when writing a new + private key file would cause a change in the + permissions of the existing file. [RT #27724] 3346. [security] Bad-cache data could be used before it was initialized, causing an assert. [RT #30025] @@ -18,11 +84,47 @@ resulting in excessive cpu usage in some cases. [RT #29952] - --- 9.8.3-P1 released --- +3337. [bug] Change #3294 broke support for the multiple keys + in controls. [RT #29694] + +3335. [func] nslookup: return a nonzero exit code when unable + to get an answer. [RT #29492] + +3333. [bug] Setting resolver-query-timeout too low can cause + named to not recover if it loses connectivity. + [RT #29623] + +3332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 3331. [security] dns_rdataslab_fromrdataset could produce bad rdataslabs. [RT #29644] - + +3330. [func] Fix missing signatures on NOERROR results despite + RPZ rewriting. Also + - add optional "recursive-only yes|no" to the + response-policy statement + - add optional "max-policy-ttl" to the response-policy + statement to limit the false data that + "recursive-only no" can introduce into + resolvers' caches + - add a RPZ performance test to bin/tests/system/rpz + when queryperf is available. + - the encoding of PASSTHRU action to "rpz-passthru". + (The old encoding is still accepted.) + [RT #26172] + + +3329. [bug] Handle RRSIG signer-name case consistently: We + generate RRSIG records with the signer-name in + lower case. We accept them with any case, but if + they fail to validate, we try again in lower case. + [RT #27451] + +3328. [bug] Fixed inconsistent data checking in dst_parse.c. + [RT #29401] + +3317. [func] Add ECDSA support (RFC 6605). [RT #21918] + --- 9.8.3 released --- 3318. [tuning] Reduce the amount of work performed while holding a diff --git a/contrib/bind9/Makefile.in b/contrib/bind9/Makefile.in index 2a00df415f3..05d9c43174f 100644 --- a/contrib/bind9/Makefile.in +++ b/contrib/bind9/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/README b/contrib/bind9/README index ee56344c5e0..f7976397875 100644 --- a/contrib/bind9/README +++ b/contrib/bind9/README @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.8.4 + + BIND 9.8.4 includes several bug fixes and patches security + flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244. + BIND 9.8.3 BIND 9.8.3 is a maintenance release. diff --git a/contrib/bind9/acconfig.h b/contrib/bind9/acconfig.h index 736d1bcdd31..3d412d93c87 100644 --- a/contrib/bind9/acconfig.h +++ b/contrib/bind9/acconfig.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -138,6 +138,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define if OpenSSL includes DSA support */ #undef HAVE_OPENSSL_DSA +/* Define if OpenSSL includes ECDSA support */ +#undef HAVE_OPENSSL_ECDSA + /* Define to the length type used by the socket API (socklen_t, size_t, int). */ #undef ISC_SOCKADDR_LEN_T diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in index e4805520e7e..89b4673edd3 100644 --- a/contrib/bind9/bin/Makefile.in +++ b/contrib/bind9/bin/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in index 403933b2ed7..c191605605b 100644 --- a/contrib/bind9/bin/check/Makefile.in +++ b/contrib/bind9/bin/check/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c index 422d9b1cde9..2bf16a686c5 100644 --- a/contrib/bind9/bin/check/check-tool.c +++ b/contrib/bind9/bin/check/check-tool.c @@ -639,6 +639,9 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, { isc_result_t result; FILE *output = stdout; + const char *flags; + + flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+"; if (debug) { if (filename != NULL && strcmp(filename, "-") != 0) @@ -649,7 +652,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, } if (filename != NULL && strcmp(filename, "-") != 0) { - result = isc_stdio_open(filename, "w+", &output); + result = isc_stdio_open(filename, flags, &output); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not open output " diff --git a/contrib/bind9/bin/confgen/Makefile.in b/contrib/bind9/bin/confgen/Makefile.in index 64ddf760a06..8b3e5aa1c4d 100644 --- a/contrib/bind9/bin/confgen/Makefile.in +++ b/contrib/bind9/bin/confgen/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/bin/confgen/unix/Makefile.in b/contrib/bind9/bin/confgen/unix/Makefile.in index 924701e61ff..2ab6d922d55 100644 --- a/contrib/bind9/bin/confgen/unix/Makefile.in +++ b/contrib/bind9/bin/confgen/unix/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in index 19dc61c4353..2a3bc5d6fe8 100644 --- a/contrib/bind9/bin/dig/Makefile.in +++ b/contrib/bind9/bin/dig/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c index 48c390b8ae0..2ef8f84ea2a 100644 --- a/contrib/bind9/bin/dig/nslookup.c +++ b/contrib/bind9/bin/dig/nslookup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -57,6 +57,7 @@ static isc_boolean_t in_use = ISC_FALSE; static char defclass[MXRD] = "IN"; static char deftype[MXRD] = "A"; static isc_event_t *global_event = NULL; +static int query_error = 1, print_error = 0; static char domainopt[DNS_NAME_MAXTEXT]; @@ -406,6 +407,9 @@ isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { char servtext[ISC_SOCKADDR_FORMATSIZE]; + /* I've we've gotten this far, we've reached a server. */ + query_error = 0; + debug("printmessage()"); isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext)); @@ -433,6 +437,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { (msg->rcode != dns_rcode_nxdomain) ? nametext : query->lookup->textname, rcode_totext(msg->rcode)); debug("returning with rcode == 0"); + + /* the lookup failed */ + print_error |= 1; return (ISC_R_SUCCESS); } @@ -887,5 +894,5 @@ main(int argc, char **argv) { destroy_libs(); isc_app_finish(); - return (0); + return (query_error | print_error); } diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in index 6bfd162d8d3..0bca1415572 100644 --- a/contrib/bind9/bin/dnssec/Makefile.in +++ b/contrib/bind9/bin/dnssec/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 index 437aa371cff..ae9bb54000c 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm. .RS 4 Select the digest algorithm. The value of \fBalgorithm\fR -must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive. +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive. .RE .PP \-K \fIdirectory\fR @@ -139,5 +139,5 @@ RFC 4509. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2008\-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c index c4b157cd9b1..93d789b0626 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -296,7 +296,7 @@ usage(void) { fprintf(stderr, " -K : directory in which to find " "key file or keyset file\n"); fprintf(stderr, " -a algorithm: digest algorithm " - "(SHA-1, SHA-256 or GOST)\n"); + "(SHA-1, SHA-256, GOST or SHA-384)\n"); fprintf(stderr, " -1: use SHA-1\n"); fprintf(stderr, " -2: use SHA-256\n"); fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); @@ -415,6 +415,9 @@ main(int argc, char **argv) { else if (strcasecmp(algname, "GOST") == 0) dtype = DNS_DSDIGEST_GOST; #endif + else if (strcasecmp(algname, "SHA384") == 0 || + strcasecmp(algname, "SHA-384") == 0) + dtype = DNS_DSDIGEST_SHA384; else fatal("unknown algorithm %s", algname); } diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook index d139ba5ec7c..d7050335107 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>