| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: bind-lwresd | Distribution: openSUSE 12.1 |
| Version: 9.8.1P1 | Vendor: openSUSE |
| Release: 4.4.1 | Build date: Fri Nov 18 09:23:45 2011 |
| Group: Productivity/Networking/DNS/Utilities | Build host: build24 |
| Size: 568652 | Source RPM: bind-9.8.1P1-4.4.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: http://isc.org/sw/bind/ | |
| Summary: Lightweight Resolver Daemon | |
Bind-lwresd provides resolution services to local clients using a combination of the lightweight resolver library liblwres and the resolver daemon process lwresd running on the local host. These communicate using a simple UDP-based protocol, the "lightweight resolver protocol" that is distinct from and simpler than the full DNS protocol.
BSD3c(or similar) ; MIT License (or similar)
* Thu Nov 17 2011 ug@suse.de
- Cache lookup could return RRSIG data associated with nonexistent
records, leading to an assertion failure. (bnc#730995)
CVE-2011-4313
* Wed Oct 26 2011 ug@suse.de
- on a 64bit system a chrooted bind failed to start if 32bit
libs were installed (bnc#716745)
* Fri Sep 30 2011 coolo@suse.com
- add libtool as buildrequire to make the spec file more reliable
* Sat Sep 17 2011 jengelh@medozas.de
- Remove redundant tags/sections from specfile
- Use %_smp_mflags for parallel build
* Fri Sep 16 2011 ug@suse.de
- very first restart can create broken chroot
(bnc#718441)
* Mon Sep 05 2011 ug@suse.de
* fixed SSL in chroot environment (bnc#715881)
* Mon Sep 05 2011 ug@suse.de
* Added a new include file with function typedefs for the DLZ
"dlopen" driver. [RT #23629]
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
* The root key is now provided in the file bind.keys allowing DNSSEC
validation to be switched on at start up by adding
"dnssec-validation auto;" to named.conf. If the root key provided
has expired, named will log the expiration and validation will not
work. More information and the most current copy of bind.keys can
be found at http://www.isc.org/bind-keys. *Please note this feature
was actually added in 9.8.0 but was not included in the 9.8.0
release notes. [RT #21727]
* If named is configured with a response policy zone (RPZ) and a
query of type RRSIG is received for a name configured for RRset
replacement in that RPZ, it will trigger an INSIST and crash the
server. RRSIG. [RT #24280]
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
query type independant. [RT #24715]
* Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label can cause named to crash. Now logs that
DNAME is not supported. [RT #24766]
* Change #2912 populated the message section in replies to UPDATE
requests, which some Windows clients wanted. This exposed a latent
bug that allowed the response message to crash named. With this
fix, change 2912 has been reduced to copy only the zone section to
the reply. A more complete fix for the latent bug will be released
later. [RT #24777]
* many bugfixes (see CHANGELOG)
* 9.8.1
* Wed Aug 31 2011 rhafer@suse.de
- Fixed the ldapdump tool to also respect the "uri" setting in
/etc/openldap/ldap.conf (bnc#710430)
* Tue Jul 05 2011 ug@suse.de
* Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label can cause named to crash. Now logs that
DNAME is not supported. [RT #24766]
* If named is configured to be both authoritative and resursive and
receives a recursive query for a CNAME in a zone that it is
authoritative for, if that CNAME also points to a zone the server
is authoritative for, the recursive part of name will not follow
the CNAME change and the response will not be a complete CNAME
chain. [RT #24455]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
query type independant. [RT #24715] [CVE-2011-1907]
* Change #2912 (see CHANGES) exposed a latent bug in the DNS message
processing code that could allow certain UPDATE requests to crash
named. This was fixed by disambiguating internal database
representation vs DNS wire format data. [RT #24777] [CVE-2011-2464]
* 9.8.0-P4
* Tue Jun 07 2011 ug@suse.de
- A large RRSET from a remote authoritative server that results in
the recursive resolver trying to negatively cache the response can
hit an off by one code error in named, resulting in named crashing.
[RT #24650] [CVE-2011-1910]
- Zones that have a DS record in the parent zone but are also listed
in a DLV and won't validate without DLV could fail to validate. [RT
[#24631]]
* Mon May 23 2011 crrodriguez@opensuse.org
- Build with -DNO_VERSION_DATE to avoid timestamps in binaries.
* Thu May 19 2011 meissner@suse.de
- buildreq update-desktop-files for newer rpms
* Thu May 05 2011 ug@suse.de
- The ADB hash table stores informations about which authoritative
servers to query about particular domains
- BIND now supports a new zone type, static-stub
- BIND now supports Response Policy Zones
- BIND 9.8.0 now has DNS64 support
- Dynamically Loadable Zones (DLZ) now support dynamic updates.
- Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named
- named now retains GSS-TSIG keys across restarts
- There is a new update-policy match type "external".
- bugfixes
- version to 9.8.0
* Thu Feb 24 2011 ug@suse.de
- fixed security issue
VUL-0: bind: IXFR or DDNS update combined with high query rate
DoS vulnerability (CVE-2011-0414 bnc#674431)
- version to 9.7.3
* Wed Jan 05 2011 meissner@suse.de
- ifdef the sysvinit specific prereqs for openSUSE 11.4 and later
* Thu Dec 09 2010 mvyskocil@suse.cz
- fix bnc#656509 - direct mount of /proc in chroot
* Tue Dec 07 2010 coolo@novell.com
- prereq init scripts syslog and network
* Thu Dec 02 2010 ug@suse.de
- fixed VUL-0: bind: Key algorithm rollover bug
bnc#657102, CVE-2010-3614
- fixed VUL-0: bind: allow-query processed incorrectly
bnc#657120, CVE-2010-3615
- fixed VUL-0: bind: cache incorrectly allows a ncache entry and a rrsig for the same type
bnc#657129, CVE-2010-3613
* Tue Nov 23 2010 ug@suse.de
- fixed return code of "rcnamed status"
- added gssapi support
* Tue Oct 12 2010 ug@suse.de
- Zones may be dynamically added and removed with the "rndc addzone"
and "rndc delzone" commands. These dynamically added zones are
written to a per-view configuration file. Do not rely on the
configuration file name nor contents as this will change in a
future release. This is an experimental feature at this time.
- Added new "filter-aaaa-on-v4" access control list to select which
IPv4 clients have AAAA record filtering applied.
- A new command "rndc secroots" was added to dump a combined summary
of the currently managed keys combined with statically configured
trust anchors.
- Added support to load new keys into managed zones without signing
immediately with "rndc loadkeys". Added support to link keys with
"dnssec-keygen -S" and "dnssec-settime -S".
- Documentation improvements
- ORCHID prefixes were removed from the automatic empty zone list.
- Improved handling of GSSAPI security contexts. Specifically, better
memory management of cached contexts, limited lifetime of a context
to 1 hour, and added a "realm" command to nsupdate to allow
selection of a non-default realm name.
- The contributed tool "ztk" was updated to version 1.0.
- version 9.7.1 to 9.7.2-P2
* Mon Jul 26 2010 ug@suse.de
- chrooted bind failed to start (bnc#625019)
* Mon Jun 21 2010 ug@suse.de
- genrandom: add support for the generation of multiple
files.
- Update empty-zones list to match
draft-ietf-dnsop-default-local-zones-13.
- Incrementally write the master file after performing
a AXFR.
- Add AAAA address for L.ROOT-SERVERS.NET.
- around 50 bugs fixed (see CHANGELOG for details)
- version 9.7.1
* Thu May 20 2010 ug@suse.de
- Handle broken DNSSEC trust chains better. [RT #15619]
- Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131
- version 9.7.0-P2
* Sat May 01 2010 aj@suse.de
- Handle /var/run on tmpfs.
- do not use run_ldconfig.
* Wed Feb 24 2010 jengelh@medozas.de
- Enable DLZ-LDAP (supersedes sdb_ldap) and add a patch
* Wed Feb 17 2010 ug@suse.de
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
- version 9.7.0
* Wed Jan 20 2010 ug@suse.de
- [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]
- [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
- [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
- version 9.6.1-P3
* Mon Jan 04 2010 ug@suse.de
- removed the syntax check for include files (bnc#567593)
* Tue Dec 15 2009 jengelh@medozas.de
- add baselibs.conf as a source
- enable parallel building
- add baselibs for SPARC
- package documentation as noarch
* Wed Nov 25 2009 ug@suse.de
- Security fix
When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
CVE-2009-4022
bnc#558260
- update from P1 to P2
* Fri Nov 20 2009 ug@suse.de
- added localhost for ipv6 to default config (bnc#539529)
* Wed Nov 18 2009 ug@suse.de
- fixed apparmor profile (bnc#544181)
* Tue Nov 03 2009 coolo@novell.com
- updated patches to apply with fuzz=0
* Wed Sep 30 2009 ug@suse.de
- using start_daemon instead of startproc (bnc#539532)
* Mon Aug 10 2009 ug@suse.de
- version update to 9.6.1-P1
(security fix CVE-2009-0696)
bnc#526185
* Tue Jun 30 2009 ug@suse.de
- enabled MySQL DLZ (Dynamically Loadable Zones)
* Tue Jun 16 2009 ug@suse.de
- around 50 bugfixes against 9.6.0p1
See changelog for details
- version 9.6.1
* Thu Apr 09 2009 ug@suse.de
- not all include files were copied into chroot (bnc#466800)
* Tue Mar 03 2009 ug@suse.de
- /etc/named.conf does not include /etc/named.d/forwarders.conf
by default (bnc#480334)
/etc/init.d/lwresd /usr/sbin/lwresd /usr/sbin/rclwresd /usr/share/man/man8/lwresd.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun May 19 02:48:42 2013