BIND 9.3.2-P2 is now available.
Mark Andrews
Mark_Andrews at isc.org
Fri Nov 3 00:10:43 UTC 2006
BIND 9.3.2-P2 is now available.
BIND 9.3.2-P2 is a SECURITY release for BIND 9.3.
BIND 9.3.2-P2 can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz
The PGP signature of the distribution is at
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.
A binary kit for Windows NT 4.0 and Windows 2000 is at
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip
The PGP signature of the binary kit for Windows NT 4.0 and Windows 2000 is at
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.sha512.asc
A list of changes made since 9.3.0 follows. For earlier changes,
see the file CHANGES in the distribution.
--------
--- 9.3.2-P2 released ---
2090. [port] win32: Visual C++ 2005 command line manifest support.
[RT #16417]
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named. [RT #16391]
2088. [security] Change the default RSA exponent from 3 to 65537.
[RT #16391]
2083. [port] win32: Visual C++ 2005 support.
--- 9.3.2-P1 released ---
2066. [security] Handle SIG queries gracefully. [RT #16300]
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]
--- 9.3.2 released ---
--- 9.3.2rc1 released ---
1936. [bug] The validator could leak memory. [RT #15544]
1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
--- 9.3.2b2 released ---
1930. [port] HPUX: ia64 support. [RT #15473]
1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
1926. [bug] The Windows installer did not check for empty
passwords. BINDinstall was being installed in
the wrong place. [RT #15483]
1925. [port] All outer level AC_TRY_RUNs need cross compiling
defaults. [RT #15469]
1924. [port] libbind: hpux ia64 support. [RT #15473]
1923. [bug] ns_client_detach() called too early. [RT #15499]
--- 9.3.2b1 released ---
1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
when generating man pages. [RT #15385]
1915. [bug] dig +ndots was broken. [RT #15215]
1914. [protocol] DS is required to accept mnemonic algorithms
(RFC 4034). Still emit numeric algorithms for
compatability with RFC 3658. [RT #15354]
1911. [bug] Update windows socket code. [RT #14965]
1910. [bug] dig's +sigchase code overhauled. [RT #14933]
1909. [bug] The DLV code has been re-worked to make no longer
query order sensitive. [RT #14933]
1905. [bug] Strings returned from cfg_obj_asstring() should be
treated as read-only. [RT #15256]
1901. [cleanup] Don't add DNSKEY records to the additional section.
1900. [bug] ixfr-from-differences failed to ensure that the
serial number increased. [RT #15036]
1896. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
ISC_NETADDR_FORMATSIZE to allow for scope details.
1894. [bug] Recursive clients soft quota support wasn't working
as expected. [RT #15103]
1893. [bug] A escaped character is, potentially, converted to
the output character set too early. [RT #14666]
1892. [port] Use uintptr_t if available. [RT #14606]
1889. [port] sunos: non blocking i/o support. [RT #14951]
1887. [bug] The cache could delete expired records too fast for
clients with a virtual time in the past. [RT #14991]
1886. [bug] fctx_create() could return success even though it
failed. [RT #14993]
1884. [cleanup] dighost.c: move external declarations into <dig/dig.h>.
1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
levels. [RT #14962]
1881. [func] Add a system test for named-checkconf. [RT #14931]
1877. [bug] Fix unreasonably low quantum on call to
dns_rbt_destroy2(). Remove unnecessay unhash_node()
call. [RT #14919]
1875. [bug] process_dhtkey() was using the wrong memory context
to free some memory. [RT #14890]
1874. [port] sunos: portability fixes. [RT #14814]
1873. [port] win32: isc__errno2result() now reports its caller.
[RT #13753]
1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
1867. [bug] It was possible to trigger a INSIST in
dlv_validatezonekey(). [RT #14846]
1866. [bug] resolv.conf parse errors were being ignored by
dig/host/nslookup. [RT #14841]
1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
bad addresses. [RT #14841]
1864. [bug] Don't try the alternative transfer source if you
got a answer / transfer with the main source
address. [RT #14802]
1863. [bug] rrset-order "fixed" error messages not complete.
1861. [bug] dig could trigger a INSIST on certain malformed
responses. [RT #14801]
1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
incorrectly set. [RT #14775]
1858. [bug] The flush-zones-on-shutdown option wasn't being
parsed. [RT #14686]
1857. [bug] named could trigger a INSIST() if reconfigured /
reloaded too fast. [RT #14673]
1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
[RT #11398]
1855. [bug] ixfr-from-differences was failing to detect changes
of ttl due to dns_diff_subtract() was ignoring the ttl
of records. [RT #14616]
1854. [bug] lwres also needs to know the print format for
(long long). [RT #13754]
1853. [bug] Rework how DLV interacts with proveunsecure().
[RT #13605]
1852. [cleanup] Remove last vestiges of dnssec-signkey and
dnssec-makekeyset (removed from Makefile years ago).
1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]
1849. [doc] All forms of the man pages (docbook, man, html) should
have consistant copyright dates.
1848. [bug] Improve SMF integration. [RT #13238]
1847. [bug] isc_ondestroy_init() is called too late in
dns_rbtdb_create()/dns_rbtdb64_create().
[RT #13661]
1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
<bortzmeyer at nic.fr>.
1845. [bug] Improve error reporting to distingish between
accept()/fcntl() and socket()/fcntl() errors.
[RT #13745]
1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
for each 16 bit piece of the IPv6 address. The text
representation of a IPv6 address has been tighted
to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
[RT #5662]
1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
when CFLAGS contains "-I /usr/local/include"
resulting in old header files being used.
1842. [port] cmsg_len() could produce incorrect results on
some platform. [RT #13744]
1841. [bug] "dig +nssearch" now makes a recursive query to
find the list of nameservers to query. [RT #13694]
1839. [bug] <isc/hash.h> was not being installed.
1838. [cleanup] Don't allow Linux capabilities to be inherited.
[RT #13707]
1837. [bug] Compile time option ISC_FACILITY was not effective
for 'named -u <user>'. [RT #13714]
1836. [cleanup] Silence compiler warnings in hash_test.c.
1835. [bug] Update dnssec-signzone's usage message. [RT #13657]
1834. [bug] Bad memset in rdata_test.c. [RT #13658]
1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]
1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
[RT #13620]
1831. [doc] Update named-checkzone documentation. [RT#13604]
1830. [bug] adb lame cache has sence of test reversed. [RT #13600]
1829. [bug] win32: "pid-file none;" broken. [RT #13563]
1828. [bug] isc_rwlock_init() failed to properly cleanup if it
encountered a error. [RT #13549]
1827. [bug] host: update usage message for '-a'. [RT #37116]
1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
of memory error. [RT #13537]
1825. [bug] Missing UNLOCK() on out of memory error from in
rbtdb.c:subtractrdataset(). [RT #13519]
1824. [bug] Memory leak on dns_zone_setdbtype() failure.
[RT #13510]
1823. [bug] Wrong macro used to check for point to point interface.
[RT#13418]
1822. [bug] check-names test for RT was reversed. [RT #13382]
1821. [doc] acls definitions are no longer required to be
in named.conf prior to reference. They can be
defined after being referenced.
1820. [bug] Gracefully handle acl loops. [RT #13659]
1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be
used to introduce a secure zone. [RT #13593]
1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
[RT #13597]
1815. [bug] nsupdate triggered a REQUIRE if the server was set
without also setting the zone and it encountered
a CNAME and was using TSIG. [RT #13086]
1810. [bug] configure, lib/bind/configure make different default
decisions about whether to do a threaded build.
[RT #13212]
1809. [bug] "make distclean" failed for libbind if the platform
is not supported.
1807. [bug] When forwarding (forward only) set the active domain
from the forward zone name. [RT #13526]
1804. [bug] Ensure that if we are queried for glue that it fits
in the additional section or TC is set to tell the
client to retry using TCP. [RT #10114]
1803. [bug] dnssec-signzone sometimes failed to remove old
RRSIGs. [RT #13483]
1802. [bug] Handle connection resets better. [RT #11280]
1799. [bug] 'rndc flushname' failed to flush negative cache
entries. [RT #13438]
1795. [bug] "rndc dumpdb" was not fully documented. Minor
formating issues with "rndc dumpdb -all". [RT #13396]
1791. [bug] 'host -t a' still printed out AAAA and MX records.
[RT #13230]
--- 9.3.1 released ---
1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
--- 9.3.1rc1 released ---
1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
[RT #13453]
1808. [bug] zone.c:notify_zone() contained a race condition,
zone->db could change underneath it. [RT #13511]
1806. [bug] The resolver returned the wrong result when a CNAME /
DNAME was encountered when fetching glue from a
secure namespace. [RT #13501]
1805. [bug] Pending status was not being cleared when DLV was
active. [RT #13501]
--- 9.3.1beta2 released ---
1800. [bug] Changes #1719 allowed a INSIST to be triggered.
[RT #13428]
--- 9.3.1beta1 released ---
1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
allow parallel make to succeed.
1789. [bug] Prerequisite test for tkey and dnssec could fail
with "configure --with-libtool".
1788. [bug] libbind9.la/libbind9.so needs to link against
libisccfg.la/libisccfg.so.
1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
1786. [port] AIX: libt_api needs to be taught to look for
T_testlist in the main executable (--with-libtool).
[RT #13239]
1785. [bug] libbind9.la/libbind9.so needs to link against
libisc.la/libisc.so.
1784. [cleanup] "libtool -allow-undefined" is the default.
Leave hooks in configure to allow it to be set
if needed in the future.
1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the
source tree.
1782. [port] OSX: --with-libtool + --enable-libbind broke on
__evOptMonoTime. [RT #13219]
1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
1780. [bug] Update libtool to 1.5.10.
1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.
1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and
IN6ADDR_LOOPBACK_INIT macros.
1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and
IN6ADDR_LOOPBACK_INIT macros.
1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
IN6ADDR_LOOPBACK_INIT macros.
1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]
1774. [port] Aix: Silence compiler warnings / build failures.
[RT #13154]
1773. [bug] Fast retry on host / net unreachable. [RT #13153]
1770. [bug] named-checkconf failed to report missing a missing
file clause for rbt{64} master/hint zones. [RT#13009]
1769. [port] win32: change compiler flags /MTd ==> /MDd,
/MT ==> /MD.
1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
rdataset. [RT #12907]
1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
support for (struct in6_pktinfo) failed. [RT #13077]
1766. [bug] Update the master file timestamp on successful refresh
as well as the journal's timestamp. [RT# 13062]
1765. [bug] configure --with-openssl=auto failed. [RT #12937]
1764. [bug] dns_zone_replacedb failed to emit a error message
if there was no SOA record in the replacment db.
[RT #13016]
1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
even when it failed. [RT #12995]
1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
[RT #12971]
1760. [bug] Host / net unreachable was not penalising rtt
estimates. [RT #12970]
1759. [bug] Named failed to startup if the OS supported IPv6
but had no IPv6 interfaces configured. [RT #12942]
1754. [bug] We wern't always attempting to query the parent
server for the DS records at the zone cut.
[RT #12774]
1753. [bug] Don't serve a slave zone which has no NS records.
[RT #12894]
1752. [port] Move isc_app_start() to after ns_os_daemonise()
as some fork() implementations unblock the signals
that are blocked by isc_app_start(). [RT #12810]
1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]
1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly.
[RT #12864]
1749. [bug] 'check-names response ignore;' failed to ignore.
[RT #12866]
1747. [bug] BIND 8 compatability: named/named-checkconf failed
to parse "host-statistics-max" in named.conf.
1745. [bug] Dig/host/nslookup accept replies from link locals
regardless of scope if no scope was specified when
query was sent. [RT #12745]
1744. [bug] If tuple2msgname() failed to convert a tuple to
a name a REQUIRE could be triggered. [RT #12796]
1743. [bug] If isc_taskmgr_create() was not able to create the
requested number of worker threads then destruction
of the manager would trigger an INSIST() failure.
[RT #12790]
1742. [bug] Deleting all records at a node then adding a
previously existing record, in a single UPDATE
transaction, failed to leave / regenerate the
associated RRSIG records. [RT #12788]
1741. [bug] Deleting all records at a node in a secure zone
using a update-policy grant failed. [RT #12787]
1740. [bug] Replace rbt's hash algorithm as it performed badly
with certain zones. [RT #12729]
NOTE: a hash context now needs to be established
via isc_hash_create() if the application was not
already doing this.
1739. [bug] dns_rbt_deletetree() could incorrectly return
ISC_R_QUOTA. [RT #12695]
1738. [bug] Enable overrun checking by default. [RT #12695]
1737. [bug] named failed if more than 16 masters were specified.
[RT #12627]
1736. [bug] dst_key_fromnamedfile() could fail to read a
public key. [RT #12687]
1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
[RE #12688]
1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
[RT #12588]
1733. [bug] Return non-zero exit status on initial load failure.
[RT #12658]
1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
[RT #12467]
1731. [port] darwin: relax version test in ifconfig.sh.
[RT #12581]
1730. [port] Determine the length type used by the socket API.
[RT #12581]
1728. [doc] Update check-names documentation.
1727. [bug] named-checkzone: check-names support didn't match
documentation.
1726. [port] aix5: add support for aix5.
1725. [port] linux: update error message on interaction of threads,
capabilities and setuid support (named -u). [RT #12541]
1724. [bug] Look for DNSKEY records with "dig +sigtrace".
[RT #12557]
1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]
1722. [bug] Don't commit the journal on malformed ixfr streams.
[RT #12519]
1721. [bug] Error message from the journal processing were not
always identifing the relevent journal. [RT #12519]
1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
negative response. [RT #12506]
1719. [bug] named was not correctly caching a RFC 2308 Type 1
negative response. [RT #12506]
1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
responses when looking for the zone / master server.
[RT #12506]
1717. [port] solaris: ifconfig.sh did not support Solaris 10.
"ifconfig.sh down" didn't work for Solaris 9.
1716. [doc] named.conf(5) was being installed in the wrong
location. [RT# 12441]
1714. [bug] dig/host/nslookup were only trying the first
address when a nameserver was specified by name.
[RT #12286]
1713. [port] linux: extend capset failure message to say:
please ensure that the capset kernel module is
loaded. see insmod(8)
1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
--- 9.3.0 released ---
More information about the bind-announce
mailing list