5.14. bind-dyndb-ldap
An updated bind-dyndb-ldap package that fixes one security issue is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.
Security Fix
- CVE-2012-3429
- A flaw was found in the way bind-dyndb-ldap performed the escaping of names from DNS requests for use in LDAP queries. A remote attacker able to send DNS queries to a named server that is configured to use bind-dyndb-ldap could use this flaw to cause named to exit unexpectedly with an assertion failure.
Red Hat would like to thank Sigbjorn Lie of Atea Norway for reporting this issue.
All bind-dyndb-ldap users should upgrade to this updated package, which contains a backported patch to correct this issue. For the update to take effect, the named service must be restarted.
An updated bind-dyndb-ldap package which provides a number of bug fixes and enhancements is now available for Red Hat Enterprise Linux 6.
The dynamic
LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.
Note
The bind-dyndb-ldap package has been upgraded to upstream version 1.1.0b2, which provides a number of bug fixes and enhancements over the previous version (BZ#767486).
Bug Fixes
- BZ#751776
- The bind-dyndb-ldap plug-in refused to load an entire zone when it contained an invalid Resource Record (RR) with the same Fully Qualified Domain Name (FQDN) as the zone name (for example an MX record). With this update, the code for parsing Resource Records has been improved. If an invalid RR is encountered, an error message “Failed to parse RR entry” is logged and the zone continues to load successfully.
- BZ#767489
- When the first connection to an
LDAPserver failed, the bind-dyndb-ldap plug-in did not try to connect again. Consequently, users had to execute the "rndc reload" command to make the plug-in work. With this update, the plug-in periodically retries to connect to an LDAP server. As a result, user intervention is no longer required and the plug-in works as expected. - BZ#767492
- When the
zone_refreshperiod timed out and a zone was removed from theLDAPserver, the plug-in continued to serve the removed zone. With this update, the plug-in no longer serves zones which have been deleted from LDAP when thezone_refreshparameter is set. - BZ#789356
- When the named daemon received the
rndc reloadcommand or aSIGHUPsignal and the plug-in failed to connect to an LDAP server, the plug-in caused named to terminate unexpectedly when it received a query which belonged to a zone previously handled by the plug-in. This has been fixed, the plug-in no longer serves its zones when connection to LDAP fails during reload and no longer crashes in the scenario described. - BZ#796206
- The plug-in terminated unexpectedly when named lost connection to an
LDAPserver for some time, then reconnected successfully, and some zones previously present had been removed from the LDAP server. The bug has been fixed and the plug-in no longer crashes in the scenario described. - BZ#805871
- Certain string lengths were incorrectly set in the plug-in. Consequently, the Start of Authority (SOA) serial number and expiry time were incorrectly set for the forward zone during ipa-server installation. With this update, the code has been improved and the SOA serial number and expiry time are set as expected.
- BZ#811074
- When a Domain Name System (DNS) zone was managed by a bind-dyndb-ldap plugin and a sub-domain was delegated to another
DNSserver, the plug-in did not put A or AAAA glue records in the “additional section” of a DNS answer. Consequently, the delegated sub-domain was not accessible by other DNS servers. With this update, the plug-in has been fixed and now returns A or AAAA glue records of a delegated sub-domain in the “additional section”. As a result, delegated zones are correctly resolvable in the scenario described. - BZ#818933
- Previously, the bind-dyndb-ldap plug-in did not escape non-ASCII characters in incoming DNS queries correctly. Consequently, the plug-in failed to send answers for queries which contained non-ASCII characters such as “,”. The plug-in has been fixed and now correctly returns answers for queries with non-ASCII characters.
Enhancements
- BZ#733371
- The bind-dyndb-ldap plug-in now supports two new attributes,
idnsAllowQueryandidnsAllowTransfer, which can be used to set ACLs for queries or transfers. Refer to/usr/share/doc/bind-dyndb-ldap/READMEfor information on the attributes. - BZ#754433
- The plug-in now supports the new zone attributes
idnsForwardersandidnsForwardPolicywhich can be used to configure forwarding. Refer to/usr/share/doc/bind-dyndb-ldap/READMEfor a detailed description. - BZ#766233
- The plug-in now supports zone transfers.
- BZ#767494
- The plug-in has a new option called
sync_ptrthat can be used to keep A and AAAA records and their PTR records synchronized. Refer to/usr/share/doc/bind-dyndb-ldap/READMEfor a detailed description. - BZ#795406
- It was not possible to store configuration for the plug-in in
LDAPand configuration was only taken from thenamed.conffile. With this update, configuration information can be obtained fromidnsConfigObjectin LDAP. Note that options set in named.conf have lower priority than options set in LDAP. The priority will change in future updates. Refer to the README file for more details.
Users of bind-dyndb-ldap package should upgrade to this updated package, which fixes these bugs and adds these enhancements.
