4.9. bind

Security Fix

CVE-2011-4313

A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion.

BZ#663112

Previously, the "named" name service daemon failed to set the max open files limit to "unlimited" by default. Consequently, the error message "max open files (1024) is smaller than max sockets (4096)" was logged. With this update the problem has been fixed, named now sets max open files limit to "unlimited" as documented, and the problem no longer occurs.

BZ#676242

Prior to this update, the code in libdns which sends DNS requests was not robust enough and suffered from a race condition. If a race condition occurred, the "named" name service daemon logged an error message in the format, "zone xxx.xxx.xxx.in-addr.arpa/IN: refresh: failure trying master xxx.xxx.xxx.xxx#53 (source xxx.xxx.xxx.xxx#0): operation canceled", even when zone refresh was successful. This update improves the code to prevent a race condition in libdns and the error no longer occurs in the scenario described.

BZ#692758

A non-writable working directory is a long time feature on all Red Hat systems. Previously, named wrote "the working directory is not writable" as an error to the system log. This update changes the code so that named now writes this information only into the debug log.

BZ#703451

When the "search" option was present in the "/etc/resolv.conf" file but there were no arguments entered for the option, the contents of the following line in the file was interpreted as the missing argument. Consequently, if the following line contained the only "nameserver" option in the file, the system would have no nameservers specified and therefore fail to resolve any hostnames. With this update the code has been improved, the resolv.conf file is parsed correctly, and the problem no longer occurs in the scenario described.

BZ#712791

The "/usr/sbin/bind-chroot-admin" script created symlinks with a double-slash (//) in the paths. This caused logrotate to fail to rotate "/var/log/named.log" correctly. With this update, the bind-chroot-admin utility is fixed and no longer creates symlinks with a double-slash and as a result "/var/log/named.log" is rotated as expected.

BZ#726120

When /etc/resolv.conf contained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, nslookup has been patched and now works as expected in the scenario described.

BZ#733698

During a DNS zone transfer, named sometimes terminated unexpectedly with an assertion failure. With this update, a patch has been applied to make the code more robust, and named no longer crashes in the scenario described.

BZ#758873

The named daemon, configured as master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:

transfer of './IN': sending zone data: ran out of space The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.

BZ#703442

The manpage of the "dig" utility did not document dig's exit status codes. With this update, the "dig" manual page now describes "/usr/bin/dig" exit codes.