diff options
author | dougb <dougb@FreeBSD.org> | 2007-07-25 08:12:36 +0000 |
---|---|---|
committer | dougb <dougb@FreeBSD.org> | 2007-07-25 08:12:36 +0000 |
commit | e9f5980a15892cbb50c32cfaab95f2dcb23cebcd (patch) | |
tree | 5e59e5d349bab1b1962e57d794d1ceb729fa3150 /contrib/bind9/CHANGES | |
parent | 7fe38836a11b0c3827d4e4c79c7d24ddf4534957 (diff) | |
download | FreeBSD-src-e9f5980a15892cbb50c32cfaab95f2dcb23cebcd.zip FreeBSD-src-e9f5980a15892cbb50c32cfaab95f2dcb23cebcd.tar.gz |
Vendor import of 9.4.1-P1, which has fixes for the following:
1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.
All users are encouraged to upgrade.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
Approved by: re (kensmith, implicit)
Diffstat (limited to 'contrib/bind9/CHANGES')
-rw-r--r-- | contrib/bind9/CHANGES | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index 358128e..05a4594 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,4 +1,34 @@ + --- 9.4.1-P1 released --- + +2206. [security] "allow-query-cache" and "allow-recursion" now + cross inherit from each other. + + If allow-query-cache is not set in named.conf then + allow-recursion is used if set, otherwise allow-query + is used if set, otherwise the default (localnets; + localhost;) is used. + + If allow-recursion is not set in named.conf then + allow-query-cache is used if set, otherwise allow-query + is used if set, otherwise the default (localnets; + localhost;) is used. + + [RT #16987] + +2203. [security] Query id generation was cryptographically weak. + [RT # 16915] + +2202. [security] The default acls for allow-query-cache and + allow-recursion were not being applied. [RT #16960] + +2193. [port] win32: BINDInstall.exe is now linked statically. + [RT #16906] + +2192. [port] win32: use vcredist_x86.exe to install Visual + Studio's redistributable dlls if building with + Visual Stdio 2005 or later. + --- 9.4.1 released --- 2172. [bug] query_addsoa() was being called with a non zone db. |