New changelog entries:
* Apply patch from ISC BIND 9.6-ESV-R4-P3 to address CVE-2011-2464.
* Apply patches from 9.6-ESV-R4-P1 to address crasher in negative
caching (CVE-2011-1910) and resolution failures in DLV mode.
* New upstream version. Prepare for a signed COM TLD, as per:
<http://www.isc.org/announcement/operational-advisory-bind-96-esv-r3-and-previous>
New changelog entries:
* v9.6-ESV-R3. Addresses CVE-2010-3613, CVE-2010-3614
- Fix denial of service via ncache entry and a rrsig for the
same type (CVE-2010-3613)
- answers were incorrectly marked as insecure during key algorithm
rollover (CVE-2010-3614)
[Internet Software Consortium, Inc]
* v9.6-ESV-R2. Addresses CVE-2010-3762
- Check that named successfully skips NSEC3 records that fail to match
the NSEC3PARAM record currently in use. [RT# 21868]
- Worked around an apparent race condition in over memory conditions.
Without this fix a DNS cache DB or ADB could incorrectly stay in an
over memory state, effectively refusing further caching, which
subsequently made a BIND 9 caching server unworkable. This fix
prevents this problem from happening by polling the state of the
memory context, rather than making a copy of the state, which
appeared to cause a race. This is a "workaround" in that it doesn't
solve the possible race per se, but several experiments proved this
change solves the symptom. Also, the polling overhead hasn't been
reported to be an issue. This bug should only affect a caching
server that specifies a finite max-cache-size. It's also quite
likely that the bug happens only when enabling threads, but it's not
confirmed yet. [RT #21818]
- Named failed to accept uncachable negative responses from insecure
zones. [RT# 21555]
- The resolver could attempt to destroy a fetch context too soon.
[RT #19878]
- The placeholder negative caching element was not properly constructed
triggering a INSIST in dns_ncache_towire(). [RT #21346]
- Handle the introduction of new trusted-keys and DS, DLV RRsets better.
[RT #21097]
- Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877]
- Named could return SERVFAIL for negative responses from unsigned
zones. [RT #21131]
- Handle broken DNSSEC trust chains better. [RT #15619]
[LaMont Jones]
* meta: drop verisoned depends from library packages, for less upgrade pain
* cleanup libisc version number. It should be libisc50, not libisc52 or
libisc53
New changelog entries:
* Fix cache poisoning through additional section for secure delegations
(CVE-2009-4022). Backport of ISC changes between 9.5.2 and 9.5.2-P1.
New changelog entries:
[Internet Software Consortium, Inc]
* A specially crafted update packet will cause named to exit.
CVE-2009-0696, CERT VU#725188. Closes: #538975
New changelog entries:
* Non-maintainer upload with permission from maintainer
* Upload "DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]" fix to stable