1.16.  bind

1.16.1.  RHSA-2009:1179: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1179
Updated bind packages that fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
[Updated 29th July 2009] The packages in this erratum have been updated to also correct this issue in the bind-sdb package.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
A flaw was found in the way BIND handles dynamic update message packets containing the "ANY" record type. A remote attacker could use this flaw to send a specially-crafted dynamic update packet that could cause named to exit with an assertion failure. (CVE-2009-0696)
Note: even if named is not configured for dynamic updates, receiving such a specially-crafted dynamic update packet could still cause named to exit unexpectedly.
All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

1.16.2.  RHBA-2009:1137: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1137
Updated bind packages that resolve an issue are now available for Red Hat Enterprise Linux 5.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
These updated bind packages fix the following bug:
  • DNSSEC, the Domain Name System Security Extensions, are a set of specifications used to secure information provided by the domain name system. One of the specifications, DNSSEC Lookaside Validation (DLV), failed to handle unknown algorithms, which caused the name resolution of "gov" and "org" top-level domains to fail. DLV in these updated packages is now able to handle unknown algorithms, and thus the validation and resolution of top-level domains (such as "org" and "gov") succeeds, thus resolving the issue. (BZ#504794)
All users of bind are advised to upgrade to these updated packages, which resolve this issue.

1.16.3. RHBA-2009:1420: bug fix and enhancement update

Updated bind packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named), a resolver library (routines for applications to use when interfacing with DNS), and tools for verifying that the DNS server is operating correctly.
This update upgrades the bind packages to upstream version 9.3.6-P1, which contains bug fixes and enhancements over the previous version.
Notably, this updated BIND is able to handle a much larger number of requests simultaneously. (BZ#457036)
These updated bind packages provide fixes for the following bugs:
  • named occasionally crashed due to an assertion failure, and logged this error message to the system log:
    named[PID]: socket.c:1649: INSIST(!sock->pending_recv) failed
    named[PID]: exiting
    
    This crash was caused by sockets being closed too early. With these updated packages, this assertion failure no longer occurs. (BZ#455802)
  • when using the '-4' option with the "host" and "dig" utilities to force them to use an IPv4 transport, the order in which IPv4 and IPv6 nameservers were listed in the /etc/resolv.conf configuration file affected whether the command would fail or succeed. This has been fixed so that these utilities continue to look for an IPv4 address, even past listed IPv6 addresses, when the '-4' option is supplied. (BZ#469441)
  • the "named-checkconf" utility ignored the "check-names" option in the /etc/named.conf configuration file, which caused the named daemon to fail to start, even if the configuration was valid. With these updated packages, "named-checkconf" no longer ignores the "check-names" option, and named starts up as expected. (BZ#491400)
  • the named init script did not handle the named_write_master_zones SELinux boolean or the permissions on the /var/named/ directory as documented. (BZ#494370)
In addition, these updated packages provide the following enhancements:
  • a new configuration directive which informs secondary servers not to send DNS notify messages, "notify master-only", is now supported. (BZ#477651)
  • dynamic loading of database back-ends is now supported with these updated packages. (BZ#479273)
  • the "allow-query-cache" option, which allows control over access to non-authoritative data (such as cached data and root hints), is now supported. (BZ#483708)
  • the sample /etc/named.conf configuration file provided with these packages has been improved. (BZ#485393)
Users are advised to upgrade to these updated bind packages, which resolve these issues and add these enhancements.