1.14.1. RHSA-2010:0975: Important security update
Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
It was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613)
It was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614)
All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.
1.14.2. RHBA-2011:0541: bug fix and enhancement update
Updated bind packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named), a resolver library (routines applications use when interfacing with DNS), and tools for verifying that the DNS server is operating correctly.
This update fixes the following bugs:
previously, bind on the 64-bit PowerPC architecture used emulated atomic operations rather than native instructions. In this updated package bind on the 64-bit PowerPC architecture uses the same native atomic operations as the PowerPC architecture. (
BZ#623638)
previously, the bind package generated the /etc/rndc.key file. However, generating this file used entropy from /dev/random. Consequently, installation of the bind package might have hung. The rndc.key is used by the rndc utility for advanced administration commands and is no longer automatically generated during installation of the bind package. Users requiring the rndc utility should generate the key themselves, via the "rndc-confgen -a" command. (
BZ#677381)
under certain circumstances, "named" was entering a deadlock. Consequently, "named" could not be stopped using the "/etc/init.d/named stop" command. In this updated package, the deadlock no longer occurs, resolving this issue. (
BZ#623122)
previously, the named_sdb PostgreSQL database backend failed to reconnect to the database when the connection failed during named_sdb startup. With this update, named writes an error message to the system log and tries to reconnect during every lookup. (
BZ#623190)
previously, file conflicts prevented the i686 and x86_64 versions of bind-devel from being installed on the same machine. In this update, the file conflict is resolved and both the i686 and x86_64 bind-devel packages can be installed on the same system. (
BZ#658045)
previously, initscript killed all processes with the name "named" when stopping the named daemon. With this update, initscript kills only the selected one. (
BZ#622785)
the return codes of the "dig" utility are documented in the dig man page. (
BZ#640538)
previously the named.8 manpage mentioned the system-config-bind utility. This utility is not included with Red Hat Enterprise Linux 6. The man page is updated to remove the reference to the system-config-bind utility. (
BZ#660676)
the "status" action of the named initscript would not complete when the bind-sdb package was installed. These updated packages resolve this issue. (
BZ#661663,
BZ#672777)
when resolv.conf contained the "search" keyword with no arguments, host/nslookup/dig utilities failed to parse it correctly. In these updated packages, such lines are ignored. (
BZ#669163)
previously, the nsupdate man page incorrectly listed HMAC-MD5 as the only TSIG algorithm. In this updated package, the list of encryption algorithms was removed from the nsupdate man page. The dnssec-keygen man page contains a complete list of usable encryption algorithms. (
BZ#672819)
In addition, this update adds the following enhancements:
the bind packages in this update are rebased to version 9.7.3. The References section of this erratum contains a link to the bind release notes. (
BZ#653486)
the host utility now honors "debug", "attempts" and "timeout" options in resolv.conf. (
BZ#622764)
a new option, called DISABLE_ZONE_CHECKING, has been added to /etc/sysconfig/named. This option adds the possibility to bypass zone validation via the named-checkzone utility in initscript and allows starting named with misconfigured zones. (
BZ#623673)
with this update: size, MD5 and the modification time of the /etc/sysconfig/named configuration file are no longer checked via the "rpm -V bind" command. (
BZ#646932)
Root zone DNSKEY is now included in the bind package, in the /etc/named.root.key file. (
BZ#667375)
Users are advised to upgrade to these updated bind packages, which resolve these issues and add these enhancements.
