5.14. bind-dyndb-ldap
An updated bind-dyndb-ldap package that fixes one security issue is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.
Security Fix
- CVE-2012-3429
- A flaw was found in the way bind-dyndb-ldap performed the escaping of names from DNS requests for use in LDAP queries. A remote attacker able to send DNS queries to a named server that is configured to use bind-dyndb-ldap could use this flaw to cause named to exit unexpectedly with an assertion failure.
Red Hat would like to thank Sigbjorn Lie of Atea Norway for reporting this issue.
All bind-dyndb-ldap users should upgrade to this updated package, which contains a backported patch to correct this issue. For the update to take effect, the named service must be restarted.
An updated bind-dyndb-ldap package which provides a number of bug fixes and enhancements is now available for Red Hat Enterprise Linux 6.
The dynamic
LDAP
back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.
Note
The bind-dyndb-ldap package has been upgraded to upstream version 1.1.0b2, which provides a number of bug fixes and enhancements over the previous version (BZ#767486).
Bug Fixes
- BZ#751776
- The bind-dyndb-ldap plug-in refused to load an entire zone when it contained an invalid Resource Record (RR) with the same Fully Qualified Domain Name (FQDN) as the zone name (for example an MX record). With this update, the code for parsing Resource Records has been improved. If an invalid RR is encountered, an error message “Failed to parse RR entry” is logged and the zone continues to load successfully.
- BZ#767489
- When the first connection to an
LDAP
server failed, the bind-dyndb-ldap plug-in did not try to connect again. Consequently, users had to execute the "rndc reload" command to make the plug-in work. With this update, the plug-in periodically retries to connect to an LDAP server. As a result, user intervention is no longer required and the plug-in works as expected. - BZ#767492
- When the
zone_refresh
period timed out and a zone was removed from theLDAP
server, the plug-in continued to serve the removed zone. With this update, the plug-in no longer serves zones which have been deleted from LDAP when thezone_refresh
parameter is set. - BZ#789356
- When the named daemon received the
rndc reload
command or aSIGHUP
signal and the plug-in failed to connect to an LDAP server, the plug-in caused named to terminate unexpectedly when it received a query which belonged to a zone previously handled by the plug-in. This has been fixed, the plug-in no longer serves its zones when connection to LDAP fails during reload and no longer crashes in the scenario described. - BZ#796206
- The plug-in terminated unexpectedly when named lost connection to an
LDAP
server for some time, then reconnected successfully, and some zones previously present had been removed from the LDAP server. The bug has been fixed and the plug-in no longer crashes in the scenario described. - BZ#805871
- Certain string lengths were incorrectly set in the plug-in. Consequently, the Start of Authority (SOA) serial number and expiry time were incorrectly set for the forward zone during ipa-server installation. With this update, the code has been improved and the SOA serial number and expiry time are set as expected.
- BZ#811074
- When a Domain Name System (DNS) zone was managed by a bind-dyndb-ldap plugin and a sub-domain was delegated to another
DNS
server, the plug-in did not put A or AAAA glue records in the “additional section” of a DNS answer. Consequently, the delegated sub-domain was not accessible by other DNS servers. With this update, the plug-in has been fixed and now returns A or AAAA glue records of a delegated sub-domain in the “additional section”. As a result, delegated zones are correctly resolvable in the scenario described. - BZ#818933
- Previously, the bind-dyndb-ldap plug-in did not escape non-ASCII characters in incoming DNS queries correctly. Consequently, the plug-in failed to send answers for queries which contained non-ASCII characters such as “,”. The plug-in has been fixed and now correctly returns answers for queries with non-ASCII characters.
Enhancements
- BZ#733371
- The bind-dyndb-ldap plug-in now supports two new attributes,
idnsAllowQuery
andidnsAllowTransfer
, which can be used to set ACLs for queries or transfers. Refer to/usr/share/doc/bind-dyndb-ldap/README
for information on the attributes. - BZ#754433
- The plug-in now supports the new zone attributes
idnsForwarders
andidnsForwardPolicy
which can be used to configure forwarding. Refer to/usr/share/doc/bind-dyndb-ldap/README
for a detailed description. - BZ#766233
- The plug-in now supports zone transfers.
- BZ#767494
- The plug-in has a new option called
sync_ptr
that can be used to keep A and AAAA records and their PTR records synchronized. Refer to/usr/share/doc/bind-dyndb-ldap/README
for a detailed description. - BZ#795406
- It was not possible to store configuration for the plug-in in
LDAP
and configuration was only taken from thenamed.conf
file. With this update, configuration information can be obtained fromidnsConfigObject
in LDAP. Note that options set in named.conf have lower priority than options set in LDAP. The priority will change in future updates. Refer to the README file for more details.
Users of bind-dyndb-ldap package should upgrade to this updated package, which fixes these bugs and adds these enhancements.