Update to version 9.3.2-P2, which addresses the vulnerability

announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list on 2 November):

Description:
        Because of OpenSSL's recently announced vulnerabilities
        (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
        we are announcing this workaround and releasing patches.  A proof of
        concept attack on OpenSSL has been demonstrated for CAN-2006-4339.

        OpenSSL is required to use DNSSEC with BIND.

Fix for version 9.3.2-P1 and lower:
        Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and
        RSAMD5 keys for all old keys using the old default exponent
        and perform a key rollover to these new keys.

        These versions also change the default RSA exponent to be
        65537 which is not vulnerable to the attacks described in
        CAN-2006-4339.

1 files changed, 15 insertions, 0 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index 0cfafd2..b45cec7 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,4 +1,19 @@
 
+	--- 9.3.2-P2 released ---
+
+2090.	[port]		win32: Visual C++ 2005 command line manifest support.
+			[RT #16417]
+
+2089.	[security]	Raise the minimum safe OpenSSL versions to
+			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
+			prior to these have known security flaws which
+			are (potentially) exploitable in named. [RT #16391]
+
+2088.	[security]	Change the default RSA exponent from 3 to 65537.
+			[RT #16391]
+
+2083.	[port]		win32: Visual C++ 2005 support.
+
 	--- 9.3.2-P1 released ---
 
 2066.	[security]	Handle SIG queries gracefully. [RT #16300]