Subject: CVE-2007-0493 and ICVE-2007-0494 -- ISC BIND advisory
To: None <tech-security@netbsd.org>
From: Brian A. Seklecki <bseklecki@collaborativefusion.com>
List: tech-security
Date: 02/09/2007 16:00:46
Ironically, a day later, the FreeBSD Group released a RELENG update to
their current supported branches including patches.
~BAS
----
Date: Fri, 9 Feb 2007 20:42:01 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Reply-To: freebsd-security@freebsd.org
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:02.bind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-07:02.bind Security Advisory
The FreeBSD Project
Topic: Multiple Denial of Service vulnerabilities in named(8)
Category: contrib
Module: bind
Announced: 2007-02-09
Affects: FreeBSD 5.3 and later.
Corrected: 2007-02-07 00:42:09 UTC (RELENG_6, 6.2-STABLE)
2007-02-09 20:24:15 UTC (RELENG_6_2, 6.2-RELEASE-p1)
2007-02-09 20:23:29 UTC (RELENG_6_1, 6.1-RELEASE-p13)
2007-02-07 00:46:35 UTC (RELENG_5, 5.5-STABLE)
2007-02-09 20:22:44 UTC (RELENG_5_5, 5.5-RELEASE-p11)
CVE Name: CVE-2007-0493, CVE-2007-0494
~BAS
On Fri, 2007-02-09 at 15:51 -0500, Brian A. Seklecki wrote:
>
> ---------- Forwarded message ----------
> Date: Thu, 8 Feb 2007 14:26:26 -0500 (EST)
> From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
> To: tech-security@NetBSD.org
> Subject: ISC BIND 9.3.4 is now available. (FWD)
>
>
> Following up on this per my employer. There are two CVEs:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0493
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0494
>
> The ISC bind in netbsd-3 is version 9.3.2(plus patches?). If ISC uses the same
> version number releng format as us, so 9.3.4 is simply a set of patch-levels
> post 9.3 release.
>
> The patches 9.3.0->9.3.4 from ISC anoncvs repository are restricted to private
> access? Maybe view a set of commit changelogs and compare the tarballs)
>
> Anyway, -current has 9.4.0-prerelease, so a pullup into netbsd-3 isn't likely
> (unless 9.4. is finalized before NetBSD 3.3).
>
> Can patches from a vendor branch jump directly into a NetBSD releng branch?
>
> Thanks,
>
> l8*
> -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> http://www.spiritual-machines.org/
>
> ---------- Forwarded message ----------
> Date: Thu, 25 Jan 2007 11:24:55 +1100
> From: Mark Andrews <Mark_Andrews@isc.org>
> To: bind-announce@isc.org
> Subject: BIND 9.3.4 is now available.
>
>
> BIND 9.3.4 is now available.
>
> BIND 9.3.4 is a security release for BIND 9.3.
>
> BIND 9.3.4 contains security fixes:
>
> 2126. [security] Serialise validation of type ANY responses. [RT #16555]
>
> 2124. [security] It was possible to dereference a freed fetch
> context. [RT #16584]
>
> 2089. [security] Raise the minimum safe OpenSSL versions to
> OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
> prior to these have known security flaws which
> are (potentially) exploitable in named. [RT #16391]
>
> 2088. [security] Change the default RSA exponent from 3 to 65537.
> [RT #16391]
>
> 2066. [security] Handle SIG queries gracefully. [RT #16300]
>
> 1941. [bug] ncache_adderesult() should set eresult even if no
> rdataset is passed to it. [RT #15642]
>
> If you are running a BIND 9.3.x or BIND 9.4.x version without
> these changes you are advised to upgrade as soon as possible to
> one of BIND 9.3.4 or BIND 9.4.0rc2.
>
> BIND 9.3.4 can be downloaded from
>
> ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz
>
> The PGP signature of the distribution is at
>
> ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz.asc
> ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz.sha256.asc
> ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz.sha512.asc
>
> The signature was generated with the ISC public key, which is
> available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.
>
> A binary kit for Windows 2000, Windows XP and Windows 2003 is at
>
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip
>
> The PGP signature of the binary kit for Windows 2000, Windows XP and
> Windows 2003 is at
>
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip.asc
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip.sha256.asc
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip.sha512.asc
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip.asc
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip.sha256.asc
> ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip.sha512.asc
>
> Note: There is no Windows NT 4.0 binary kit for BIND 9.3.4.
> Windows NT 4.0 is still supported in source form.
>
> A list of changes made since 9.3.0 follows. For earlier changes,
> see the file CHANGES in the distribution.
>
> --------
>
> --- 9.3.4 released ---
>
> 2126. [security] Serialise validation of type ANY responses. [RT #16555]
>
> 2124. [security] It was possible to dereference a freed fetch
> context. [RT #16584]
>
> --- 9.3.3 released ---
>
> 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
>
> 2104. [port] Fix Solaris SMF error message.
>
> 2103. [port] Add /usr/sfw to list of locations for OpenSSL
> under Solaris.
>
> 2102. [port] Silence solaris 10 warnings.
>
> 2101. [bug] OpenSSL version checks were not quite right.
> [RT #16476]
>
> 2100. [port] win32: copy libeay32.dll to Build\Debug.
>
> 2099. [port] win32: more manifiest issues.
>
> --- 9.3.3rc3 released ---
>
> 2096. [bug] libbind: handle applications that fail to detect
> res_init() failures better.
>
> 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
> net_cidr_ntop_ipv6(). [RT #16388]
>
> 2094. [contrib] Update named-bootconf. [RT# 16404]
>
> 2092. [bug] win32: dig, host, nslookup. Use registry config
> if resolv.conf does not exist or no nameservers
> listed. [RT #15877]
>
> 2091. [port] dighost.c: race condition on cleanup. [RT #16417]
>
> 2090. [port] win32: Visual C++ 2005 command line manifest support.
> [RT #16417]
>
> 2089. [security] Raise the minimum safe OpenSSL versions to
> OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
> prior to these have known security flaws which
> are (potentially) exploitable in named. [RT #16391]
>
> 2088. [security] Change the default RSA exponent from 3 to 65537.
> [RT #16391]
>
> 2086. [port] libbind: FreeBSD now has get*by*_r() functions.
> [RT #16403]
>
> 2085. [doc] win32: added index.html and README to zip. [RT #16201]
>
> 2084. [contrib] dbus update for 9.3.3rc2.
>
> 2083. [port] win32: Visual C++ 2005 support.
>
> 2082. [doc] Document 'cache-file' as a test only option.
>
> --- 9.3.3rc2 released ---
>
> 2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
> [RT #16360]
>
> 2080. [port] libbind: res_init.c did not compile on older versions
> of Solaris. [RT #16363]
>
> 2076. [bug] Several files were missing #include <config.h>
> causing build failures on OSF. [RT #16341]
>
> 2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
> dns_request_createraw2() and dns_request_createraw3()
> failed to send multiple UDP requests. [RT #16349]
>
> 2066. [security] Handle SIG queries gracefully. [RT #16300]
>
> --- 9.3.3rc1 released ---
>
> 2071. [port] Test whether gcc accepts -fno-strict-aliasing.
> [RT #16324]
>
> 2070. [bug] The remote address was not always displayed when
> reporting dispatch failures. [RT #16315]
>
> 2069. [bug] Cross compiling was not working. [RT #16330]
>
> 2067. [bug] 'rndc' could close the socket too early triggering
> a INSIST under Windows. [RT #16317]
>
> 2065. [bug] libbind: probe for HPUX prototypes for
> endprotoent_r() and endservent_r(). [RT 16313]
>
> 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]
>
> 2063. [bug] Change #1955 introduced a bug which caused the first
> 'rndc flush' call to not free memory. [RT #16244]
>
> 2062. [bug] 'dig +nssearch' was reusing a buffer before it had
> been returned by the socket code. [RT #16307]
>
> 2057. [bug] Make setting "ra" dependent on both allow-query and
> allow-recursion. [RT #16290]
>
> 2056. [bug] dig: ixfr= was not being treated case insensitively
> at all times. [RT #15955]
>
> 2055. [bug] Missing goto after dropping multicast query.
> [RT #15944]
>
> 2054. [port] freebsd: do not explicitly link against -lpthread.
> [RT #16170]
>
> 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]
>
> 2052. [bug] 'rndc' improve connect failed message to report
> the failing address. [RT #15978]
>
> 2051. [port] More strtol() fixes. [RT #16249]
>
> 2050. [bug] Parsing of NSAP records was not case insensitive.
> [RT #16287]
>
> 2049. [bug] Restore SOA before AXFR when falling back from
> a attempted IXFR when transfering in a zone.
> Allow a initial SOA query before attempting
> a AXFR to be requested. [RT #16156]
>
> 2048. [bug] It was possible to loop forever when using
> avoid-v4-udp-ports / avoid-v6-udp-ports when
> the OS always returned the same local port.
> [RT #16182]
>
> 2047. [bug] Failed to initialise the interface flags to zero.
> [RT #16245]
>
> 2043. [port] nsupdate/nslookup: Force the flushing of the prompt
> for interactive sessions. [RT#16148]
>
> 2038. [bug] dig/nslookup/host was unlinking from wrong list
> when handling errors. [RT #16122]
>
> 2037. [func] When unlinking the first or last element in a list
> check that the list head points to the element to
> be unlinked. [RT #15959]
>
> 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
> [RT #16075]
>
> 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
>
> --- 9.3.3b1 released ---
>
> 2031. [bug] Emit a error message when "rndc refresh" is called on
> a non slave/stub zone. [RT # 16073]
>
> 2030. [bug] We were being overly conservative when disabling
> openssl engine support. [RT #16030]
>
> 2029. [bug] host printed out the server multiple times when
> specified on the command line. [RT #15992]
>
> 2028. [port] linux: socket.c compatability for old systems.
> [RT #16015]
>
> 2027. [port] libbind: Solaris x86 support. [RT #16020]
>
> 2026. [bug] Rate limit the two recursive client exceeded messages.
> [RT #16044]
>
> 2024. [bug] named emited spurious "zone serial unchanged"
> messages on reload. [RT #16027]
>
> 2023. [bug] "make install" should create ${localstatedir}/run and
> ${sysconfdir} if they do not exist. [RT #16033]
>
> 2016. [bug] Return a partial answer if recursion is not
> allowed but requested and we had the answer
> to the original qname. [RT #15945]
>
> 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
> responses more gracefully. [RT #15941]
>
> 2009. [bug] libbind: coverity fixes. [RT #15808]
>
> 2005. [bug] libbind: Retransmission timeouts should be
> based on which attempt it is to the nameserver
> and not the nameserver itself. [RT #13548]
>
> 2004. [bug] dns_tsig_sign() could pass a NULL pointer to
> dst_context_destroy() when cleaning up after a
> error. [RT #15835]
>
> 2003. [bug] libbind: The DNS name/address lookup functions could
> occasionally follow a random pointer due to
> structures not being completely zeroed. [RT #15806]
>
> 2002. [bug] libbind: tighten the constraints on when
> struct addrinfo._ai_pad exists. [RT #15783]
>
> 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
>
> 1998. [bug] Restrict handling of fifos as sockets to just SunOS.
> This allows named to connect to entropy gathering
> daemons that use fifos instead of sockets. [RT #15840]
>
> 1997. [bug] Named was failing to replace negative cache entries
> when a positive one for the type was learnt.
> [RT #15818]
>
> 1995. [bug] 'host' was reporting multiple "is an alias" messages.
> [RT #15702]
>
> 1994. [port] OpenSSL 0.9.8 support. [RT #15694]
>
> 1993. [bug] Log messsage, via syslog, were missing the space
> after the timestamp if "print-time yes" was specified.
> [RT #15844]
>
> 1991. [cleanup] The configuration data, once read, should be treated
> as readonly. Expand the use of const to enforce this
> at compile time. [RT #15813]
>
> 1990. [bug] libbind: isc's override of broken gettimeofday()
> implementions was not always effective.
> [RT #15709]
>
> 1989. [bug] win32: don't check the service password when
> re-installing. [RT #15882]
>
> 1985. [protocol] DLV has now been assigned a official type code of
> 32769. [RT #15807]
>
> Note: care should be taken to ensure you upgrade
> both named and dnssec-signzone at the same time for
> zones with DLV records where named is the master
> server for the zone. Also any zones that contain
> DLV records should be removed when upgrading a slave
> zone. You do not however have to upgrade all
> servers for a zone with DLV records simultaniously.
>
> 1982. [bug] DNSKEY was being accepted on the parent side of
> a delegation. KEY is still accepted there for
> RFC 3007 validated updates. [RT #15620]
>
> 1981. [bug] win32: condition.c:wait() could fail to reattain
> the mutex lock.
>
> 1979. [port] linux: allow named to drop core after changing
> user ids. [RT #15753]
>
> 1978. [port] Handle systems which have a broken recvmsg().
> [RT #15742]
>
> 1977. [bug] Silence noisy log message. [RT #15704]
>
> 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]
>
> 1975. [bug] libbind: isc_gethexstring() could misparse multi-line
> hex strings with comments. [RT #15814]
>
> 1974. [doc] List each of the zone types and associated zone
> options seperately in the ARM.
>
> 1972. [contrib] DBUS dynamic forwarders integation from
> Jason Vas Dias <jvdias@redhat.com>.
>
> 1971. [port] linux: make detection of missing IF_NAMESIZE more
> robust. [RT #15443]
>
> 1970. [bug] nsupdate: adjust UDP timeout when falling back to
> unsigned SOA query. [RT #15775]
>
> 1969. [bug] win32: the socket code was freeing the socket
> structure too early. [RT #15776]
>
> 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]
>
> 1966. [bug] Don't set CD when we have fallen back to plain DNS.
> [RT #15727]
>
> 1963. [port] Tru64 4.0E doesn't support send() and recv().
> [RT #15586]
>
> 1962. [bug] Named failed to clear old update-policy when it
> was removed. [RT #15491]
>
> 1961. [bug] Check the port and address of responses forwarded
> to dispatch. [RT #15474]
>
> 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
> [RT #15465]
>
> 1958. [bug] Named failed to update the zone's secure state
> until the zone was reloaded. [RT #15412]
>
> 1957. [bug] Dig mishandled responses to class ANY queries.
> [RT #15402]
>
> 1956. [bug] Improve cross compile support, 'gen' is now built
> by native compiler. See README for additional
> cross compile support information. [RT #15148]
>
> 1955. [bug] Pre-allocate the cache cleaning interator. [RT #14998]
>
> 1952. [port] hpux: tell the linker to build a runtime link
> path "-Wl,+b:". [RT #14816].
>
> 1951. [security] Drop queries from particular well known ports.
> Don't return FORMERR to queries from particular
> well known ports. [RT #15636]
>
> 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
> a TCP socket. This prevents the source address being
> set for TCP connections. [RT #15628]
>
> 1948. [bug] If was possible to trigger a REQUIRE failure in
> xfrin.c:maybe_free() if named ran out of memory.
> [RT #15568]
>
> 1946. [bug] resume_dslookup() could trigger a REQUIRE failure
> when using forwarders. [RT #15549]
>
> 1944. [cleanup] isc_hash_create() does not need a read/write lock.
> [RT #15522]
>
> 1943. [bug] Set the loadtime after rolling forward the journal.
> [RT #15647]
>
> 1942. [bug] If the name of a DNSKEY match that of one in
> trusted-keys do not attempt to validate the DNSKEY
> using the parents DS RRset. [RT #15649]
>
> 1941. [bug] ncache_adderesult() should set eresult even if no
> rdataset is passed to it. [RT #15642]
>
> 1940. [bug] Fixed a number of error conditions reported by
> Coverity.
>
> 1939. [bug] The resolver could dereference a null pointer after
> validation if all the queries have timed out.
> [RT #15528]
>
> 1938. [bug] The validator was not correctly handling unsecure
> negative responses at or below a SEP. [RT #15528]
>
> 1919. [contrib] queryperf: a set of new features: collecting/printing
> response delays, printing intermediate results, and
> adjusting query rate for the "target" qps.
>
> --- 9.3.2 released ---
>
> --- 9.3.2rc1 released ---
>
> 1936. [bug] The validator could leak memory. [RT #15544]
>
> 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
>
> --- 9.3.2b2 released ---
>
> 1930. [port] HPUX: ia64 support. [RT #15473]
>
> 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
>
> 1926. [bug] The Windows installer did not check for empty
> passwords. BINDinstall was being installed in
> the wrong place. [RT #15483]
>
> 1925. [port] All outer level AC_TRY_RUNs need cross compiling
> defaults. [RT #15469]
>
> 1924. [port] libbind: hpux ia64 support. [RT #15473]
>
> 1923. [bug] ns_client_detach() called too early. [RT #15499]
>
> --- 9.3.2b1 released ---
>
> 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
> when generating man pages. [RT #15385]
>
> 1915. [bug] dig +ndots was broken. [RT #15215]
>
> 1914. [protocol] DS is required to accept mnemonic algorithms
> (RFC 4034). Still emit numeric algorithms for
> compatability with RFC 3658. [RT #15354]
>
> 1911. [bug] Update windows socket code. [RT #14965]
>
> 1910. [bug] dig's +sigchase code overhauled. [RT #14933]
>
> 1909. [bug] The DLV code has been re-worked to make no longer
> query order sensitive. [RT #14933]
>
> 1905. [bug] Strings returned from cfg_obj_asstring() should be
> treated as read-only. [RT #15256]
>
> 1901. [cleanup] Don't add DNSKEY records to the additional section.
>
> 1900. [bug] ixfr-from-differences failed to ensure that the
> serial number increased. [RT #15036]
>
> 1896. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
> ISC_NETADDR_FORMATSIZE to allow for scope details.
>
> 1894. [bug] Recursive clients soft quota support wasn't working
> as expected. [RT #15103]
>
> 1893. [bug] A escaped character is, potentially, converted to
> the output character set too early. [RT #14666]
>
> 1892. [port] Use uintptr_t if available. [RT #14606]
>
> 1889. [port] sunos: non blocking i/o support. [RT #14951]
>
> 1887. [bug] The cache could delete expired records too fast for
> clients with a virtual time in the past. [RT #14991]
>
> 1886. [bug] fctx_create() could return success even though it
> failed. [RT #14993]
>
> 1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
>
> 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
> levels. [RT #14962]
>
> 1881. [func] Add a system test for named-checkconf. [RT #14931]
>
> 1877. [bug] Fix unreasonably low quantum on call to
> dns_rbt_destroy2(). Remove unnecessay unhash_node()
> call. [RT #14919]
>
> 1875. [bug] process_dhtkey() was using the wrong memory context
> to free some memory. [RT #14890]
>
> 1874. [port] sunos: portability fixes. [RT #14814]
>
> 1873. [port] win32: isc__errno2result() now reports its caller.
> [RT #13753]
>
> 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
>
> 1867. [bug] It was possible to trigger a INSIST in
> dlv_validatezonekey(). [RT #14846]
>
> 1866. [bug] resolv.conf parse errors were being ignored by
> dig/host/nslookup. [RT #14841]
>
> 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
> bad addresses. [RT #14841]
>
> 1864. [bug] Don't try the alternative transfer source if you
> got a answer / transfer with the main source
> address. [RT #14802]
>
> 1863. [bug] rrset-order "fixed" error messages not complete.
>
> 1861. [bug] dig could trigger a INSIST on certain malformed
> responses. [RT #14801]
>
> 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
> incorrectly set. [RT #14775]
>
> 1858. [bug] The flush-zones-on-shutdown option wasn't being
> parsed. [RT #14686]
>
> 1857. [bug] named could trigger a INSIST() if reconfigured /
> reloaded too fast. [RT #14673]
>
> 1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
> [RT #11398]
>
> 1855. [bug] ixfr-from-differences was failing to detect changes
> of ttl due to dns_diff_subtract() was ignoring the ttl
> of records. [RT #14616]
>
> 1854. [bug] lwres also needs to know the print format for
> (long long). [RT #13754]
>
> 1853. [bug] Rework how DLV interacts with proveunsecure().
> [RT #13605]
>
> 1852. [cleanup] Remove last vestiges of dnssec-signkey and
> dnssec-makekeyset (removed from Makefile years ago).
>
> 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
>
> 1849. [doc] All forms of the man pages (docbook, man, html) should
> have consistant copyright dates.
>
> 1848. [bug] Improve SMF integration. [RT #13238]
>
> 1847. [bug] isc_ondestroy_init() is called too late in
> dns_rbtdb_create()/dns_rbtdb64_create().
> [RT #13661]
>
> 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
> <bortzmeyer@nic.fr>.
>
> 1845. [bug] Improve error reporting to distingish between
> accept()/fcntl() and socket()/fcntl() errors.
> [RT #13745]
>
> 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
> for each 16 bit piece of the IPv6 address. The text
> representation of a IPv6 address has been tighted
> to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
> [RT #5662]
>
> 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
> when CFLAGS contains "-I /usr/local/include"
> resulting in old header files being used.
>
> 1842. [port] cmsg_len() could produce incorrect results on
> some platform. [RT #13744]
>
> 1841. [bug] "dig +nssearch" now makes a recursive query to
> find the list of nameservers to query. [RT #13694]
>
> 1839. [bug] <isc/hash.h> was not being installed.
>
> 1838. [cleanup] Don't allow Linux capabilities to be inherited.
> [RT #13707]
>
> 1837. [bug] Compile time option ISC_FACILITY was not effective
> for 'named -u <user>'. [RT #13714]
>
> 1836. [cleanup] Silence compiler warnings in hash_test.c.
>
> 1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
>
> 1834. [bug] Bad memset in rdata_test.c. [RT #13658]
>
> 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
>
> 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
> [RT #13620]
>
> 1831. [doc] Update named-checkzone documentation. [RT#13604]
>
> 1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
>
> 1829. [bug] win32: "pid-file none;" broken. [RT #13563]
>
> 1828. [bug] isc_rwlock_init() failed to properly cleanup if it
> encountered a error. [RT #13549]
>
> 1827. [bug] host: update usage message for '-a'. [RT #37116]
>
> 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
> of memory error. [RT #13537]
>
> 1825. [bug] Missing UNLOCK() on out of memory error from in
> rbtdb.c:subtractrdataset(). [RT #13519]
>
> 1824. [bug] Memory leak on dns_zone_setdbtype() failure.
> [RT #13510]
>
> 1823. [bug] Wrong macro used to check for point to point interface.
> [RT#13418]
>
> 1822. [bug] check-names test for RT was reversed. [RT #13382]
>
> 1821. [doc] acls definitions are no longer required to be
> in named.conf prior to reference. They can be
> defined after being referenced.
>
> 1820. [bug] Gracefully handle acl loops. [RT #13659]
>
> 1819. [bug] The validator needed to check both the algorithm and
> digest types of the DS to determine if it could be
> used to introduce a secure zone. [RT #13593]
>
> 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
> [RT #13597]
>
> 1815. [bug] nsupdate triggered a REQUIRE if the server was set
> without also setting the zone and it encountered
> a CNAME and was using TSIG. [RT #13086]
>
> 1810. [bug] configure, lib/bind/configure make different default
> decisions about whether to do a threaded build.
> [RT #13212]
>
> 1809. [bug] "make distclean" failed for libbind if the platform
> is not supported.
>
> 1807. [bug] When forwarding (forward only) set the active domain
> from the forward zone name. [RT #13526]
>
> 1804. [bug] Ensure that if we are queried for glue that it fits
> in the additional section or TC is set to tell the
> client to retry using TCP. [RT #10114]
>
> 1803. [bug] dnssec-signzone sometimes failed to remove old
> RRSIGs. [RT #13483]
>
> 1802. [bug] Handle connection resets better. [RT #11280]
>
> 1799. [bug] 'rndc flushname' failed to flush negative cache
> entries. [RT #13438]
>
> 1795. [bug] "rndc dumpdb" was not fully documented. Minor
> formating issues with "rndc dumpdb -all". [RT #13396]
>
> 1791. [bug] 'host -t a' still printed out AAAA and MX records.
> [RT #13230]
>
> --- 9.3.1 released ---
>
> 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
>
> --- 9.3.1rc1 released ---
>
> 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
> [RT #13453]
>
> 1808. [bug] zone.c:notify_zone() contained a race condition,
> zone->db could change underneath it. [RT #13511]
>
> 1806. [bug] The resolver returned the wrong result when a CNAME /
> DNAME was encountered when fetching glue from a
> secure namespace. [RT #13501]
>
> 1805. [bug] Pending status was not being cleared when DLV was
> active. [RT #13501]
>
> --- 9.3.1beta2 released ---
>
> 1800. [bug] Changes #1719 allowed a INSIST to be triggered.
> [RT #13428]
>
> --- 9.3.1beta1 released ---
>
> 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
> allow parallel make to succeed.
>
> 1789. [bug] Prerequisite test for tkey and dnssec could fail
> with "configure --with-libtool".
>
> 1788. [bug] libbind9.la/libbind9.so needs to link against
> libisccfg.la/libisccfg.so.
>
> 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
>
> 1786. [port] AIX: libt_api needs to be taught to look for
> T_testlist in the main executable (--with-libtool).
> [RT #13239]
>
> 1785. [bug] libbind9.la/libbind9.so needs to link against
> libisc.la/libisc.so.
>
> 1784. [cleanup] "libtool -allow-undefined" is the default.
> Leave hooks in configure to allow it to be set
> if needed in the future.
>
> 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
> source tree.
>
> 1782. [port] OSX: --with-libtool + --enable-libbind broke on
> __evOptMonoTime. [RT #13219]
>
> 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
>
> 1780. [bug] Update libtool to 1.5.10.
>
> 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
>
> 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
> IN6ADDR_LOOPBACK_INIT macros.
>
> 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
> IN6ADDR_LOOPBACK_INIT macros.
>
> 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
> IN6ADDR_LOOPBACK_INIT macros.
>
> 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
>
> 1774. [port] Aix: Silence compiler warnings / build failures.
> [RT #13154]
>
> 1773. [bug] Fast retry on host / net unreachable. [RT #13153]
>
> 1770. [bug] named-checkconf failed to report missing a missing
> file clause for rbt{64} master/hint zones. [RT#13009]
>
> 1769. [port] win32: change compiler flags /MTd ==> /MDd,
> /MT ==> /MD.
>
> 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
> rdataset. [RT #12907]
>
> 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
> support for (struct in6_pktinfo) failed. [RT #13077]
>
> 1766. [bug] Update the master file timestamp on successful refresh
> as well as the journal's timestamp. [RT# 13062]
>
> 1765. [bug] configure --with-openssl=auto failed. [RT #12937]
>
> 1764. [bug] dns_zone_replacedb failed to emit a error message
> if there was no SOA record in the replacment db.
> [RT #13016]
>
> 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
> even when it failed. [RT #12995]
>
> 1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
> [RT #12971]
>
> 1760. [bug] Host / net unreachable was not penalising rtt
> estimates. [RT #12970]
>
> 1759. [bug] Named failed to startup if the OS supported IPv6
> but had no IPv6 interfaces configured. [RT #12942]
>
> 1754. [bug] We wern't always attempting to query the parent
> server for the DS records at the zone cut.
> [RT #12774]
>
> 1753. [bug] Don't serve a slave zone which has no NS records.
> [RT #12894]
>
> 1752. [port] Move isc_app_start() to after ns_os_daemonise()
> as some fork() implementations unblock the signals
> that are blocked by isc_app_start(). [RT #12810]
>
> 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
>
> 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
> [RT #12864]
>
> 1749. [bug] 'check-names response ignore;' failed to ignore.
> [RT #12866]
>
> 1747. [bug] BIND 8 compatability: named/named-checkconf failed
> to parse "host-statistics-max" in named.conf.
>
> 1745. [bug] Dig/host/nslookup accept replies from link locals
> regardless of scope if no scope was specified when
> query was sent. [RT #12745]
>
> 1744. [bug] If tuple2msgname() failed to convert a tuple to
> a name a REQUIRE could be triggered. [RT #12796]
>
> 1743. [bug] If isc_taskmgr_create() was not able to create the
> requested number of worker threads then destruction
> of the manager would trigger an INSIST() failure.
> [RT #12790]
>
> 1742. [bug] Deleting all records at a node then adding a
> previously existing record, in a single UPDATE
> transaction, failed to leave / regenerate the
> associated RRSIG records. [RT #12788]
>
> 1741. [bug] Deleting all records at a node in a secure zone
> using a update-policy grant failed. [RT #12787]
>
> 1740. [bug] Replace rbt's hash algorithm as it performed badly
> with certain zones. [RT #12729]
>
> NOTE: a hash context now needs to be established
> via isc_hash_create() if the application was not
> already doing this.
>
> 1739. [bug] dns_rbt_deletetree() could incorrectly return
> ISC_R_QUOTA. [RT #12695]
>
> 1738. [bug] Enable overrun checking by default. [RT #12695]
>
> 1737. [bug] named failed if more than 16 masters were specified.
> [RT #12627]
>
> 1736. [bug] dst_key_fromnamedfile() could fail to read a
> public key. [RT #12687]
>
> 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
> [RE #12688]
>
> 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
> [RT #12588]
>
> 1733. [bug] Return non-zero exit status on initial load failure.
> [RT #12658]
>
> 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
> [RT #12467]
>
> 1731. [port] darwin: relax version test in ifconfig.sh.
> [RT #12581]
>
> 1730. [port] Determine the length type used by the socket API.
> [RT #12581]
>
> 1728. [doc] Update check-names documentation.
>
> 1727. [bug] named-checkzone: check-names support didn't match
> documentation.
>
> 1726. [port] aix5: add support for aix5.
>
> 1725. [port] linux: update error message on interaction of threads,
> capabilities and setuid support (named -u). [RT #12541]
>
> 1724. [bug] Look for DNSKEY records with "dig +sigtrace".
> [RT #12557]
>
> 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
>
> 1722. [bug] Don't commit the journal on malformed ixfr streams.
> [RT #12519]
>
> 1721. [bug] Error message from the journal processing were not
> always identifing the relevent journal. [RT #12519]
>
> 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
> negative response. [RT #12506]
>
> 1719. [bug] named was not correctly caching a RFC 2308 Type 1
> negative response. [RT #12506]
>
> 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
> responses when looking for the zone / master server.
> [RT #12506]
>
> 1717. [port] solaris: ifconfig.sh did not support Solaris 10.
> "ifconfig.sh down" didn't work for Solaris 9.
>
> 1716. [doc] named.conf(5) was being installed in the wrong
> location. [RT# 12441]
>
> 1714. [bug] dig/host/nslookup were only trying the first
> address when a nameserver was specified by name.
> [RT #12286]
>
> 1713. [port] linux: extend capset failure message to say:
> please ensure that the capset kernel module is
> loaded. see insmod(8)
>
> 1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
>
> --- 9.3.0 released ---
>
>
--
Brian A. Seklecki <bseklecki@collaborativefusion.com>
Collaborative Fusion, Inc.