308205 |
02-Nov-2016 |
delphij |
Fix BIND remote Denial of Service vulnerability. [SA-16:34]
Fix OpenSSL remote DoS vulnerability. [SA-16:35]
Security: FreeBSD-SA-16:34.bind Security: FreeBSD-SA-16:35.openssl Approved by: so |
306942 |
10-Oct-2016 |
delphij |
Fix BIND remote Denial of Service vulnerability. [SA-16:28]
Fix bspatch heap overflow vulnerability. [SA-16:29]
Fix multiple portsnap vulnerabilities. [SA-16:30]
Approved by: so |
296611 |
10-Mar-2016 |
delphij |
Fix multiple vulnerabilities of BIND. [SA-16:13]
Fix a regression with OpenSSL patch. [SA-16:12]
Approved by: so |
294905 |
27-Jan-2016 |
delphij |
Fix BIND remote denial of service vulnerability. [SA-16:08]
Fix multiple vulnerabilities of ntp. [SA-16:09]
Fix Linux compatibility layer issetugid(2) system call vulnerability. [SA-16:10]
Security: FreeBSD-SA-16:08.bind Security: FreeBSD-SA-16:09.ntp Security: FreeBSD-SA-16:10.linux Approved by: so |
292321 |
16-Dec-2015 |
delphij |
Fix BIND remote denial of service vulnerability. [SA-15:27]
Security: FreeBSD-SA-15:27.bind Security: CVE-2015-8000 Approved by: so |
287410 |
02-Sep-2015 |
delphij |
Fix remote denial of service vulnerability when parsing malformed key.
Security: CVE-2015-5722 Security: FreeBSD-SA-15:23.bind Approved by: so |
285980 |
28-Jul-2015 |
delphij |
Fix resource exhaustion in TCP reassembly. [SA-15:15]
Fix OpenSSH multiple vulnerabilities. [SA-15:16]
Fix BIND remote denial of service vulnerability. [SA-15:17]
Approved by: so |
285258 |
07-Jul-2015 |
delphij |
Fix BIND resolver remote denial of service when validating.
Security: CVE-2015-4620 Security: FreeBSD-SA-15:11.bind Approved by: so |
279265 |
25-Feb-2015 |
delphij |
Fix integer overflow in IGMP protocol. [SA-15:04]
Fix BIND remote denial of service vulnerability. [SA-15:05]
Fix vt(4) crash with improper ioctl parameters. [EN-15:01]
Updated base system OpenSSL to 0.9.8zd. [EN-15:02]
Fix freebsd-update libraries update ordering issue. [EN-15:03]
Approved by: so |
275672 |
10-Dec-2014 |
delphij |
Fix multiple vulnerabilities in file(1) and libmagic(3).
Security: FreeBSD-SA-14:28.file Security: CVE-2014-3710, CVE-2014-8116, CVE-2014-8117
Fix BIND remote denial of service vulnerability.
Security: FreeBSD-SA-14:29.bind Security: CVE-2014-8500
Approved by: so |
267655 |
20-Jun-2014 |
gjb |
Remove svn:mergeinfo carried over from stable/9.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
267654 |
20-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
262706 |
03-Mar-2014 |
erwin |
MFV 262445: Update BIND to 9.9.5
Release note: https://lists.isc.org/pipermail/bind-announce/2013-September/000871.html https://lists.isc.org/pipermail/bind-announce/2014-January/000896.html
Note this is a commit straight to stable as BIND no longer exists in head.
Sponsored by: DK Hostmaster A/S
|
260646 |
14-Jan-2014 |
delphij |
Fix BIND remote denial of service vulnerability.
Security: FreeBSD-SA-14:04.bind Security: CVE-2014-0591
|
254897 |
26-Aug-2013 |
erwin |
MFC r254651:
Update Bind to 9.9.3-P2
Notable new features:
* Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673]
* BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989]
* The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently.
Approved by: delphij (mentor) Sponsored by: DK Hostmaster A/S
|
254402 |
16-Aug-2013 |
erwin |
MFC 253983, 253984:
Update Bind to 9.8.5-P2
New Features
Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355]
Adds support for Uniform Resource Identifier (URI) resource records. [RT #23386]
Adds support for the EUI48 and EUI64 RR types. [RT #33082]
Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836]
Feature Changes
Changes timing of when slave zones send NOTIFY messages after loading a new copy of the zone. They now send the NOTIFY before writing the zone data to disk. This will result in quicker propagation of updates in multi-level server structures. [RT #27242] "named -V" can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source
ID for ISC's production versions of BIND is defined in the "srcid" file in the build tree and is normally set to the most recent git hash. [RT #31494]
Response Policy Zone performance enhancements. New "response-policy" option "min-ns-dots". "nsip" and "nsdname" now enabled by default with RPZ. [RT #32251]
Approved by: delphij (mentor) Sponsored by: DK Hostmaster A/S
|
253695 |
26-Jul-2013 |
delphij |
Fix Denial of Service vulnerability in named(8). [13:07]
Security: CVE-2013-4854 Security: FreeBSD-SA-13:07.bind Approved by: re (rodrigc)
|
248808 |
28-Mar-2013 |
delphij |
MFC r248788 (erwin):
Update BIND to 9.8.4-P2
Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688]
|
245163 |
08-Jan-2013 |
erwin |
MFC r243981,243987:
Update to 9.8.4-P1.
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918]
Feature Changes
* Improves OpenSSL error logging [RT #29932]
* nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492]
Other critical bug fixes are included.
Approved by: delphij (mentor) Sponsored by: DK Hostmaster A/S
|
241415 |
10-Oct-2012 |
delphij |
MFC r241414:
Upgrade to 9.8.3-P4:
Prevents a lockup when queried a deliberately constructed combination of records. [CVE-2012-5166]
For more information: https://kb.isc.org/article/AA-00801
|
240807 |
22-Sep-2012 |
delphij |
MFC 240729 (dougb):
Upgrade to 9.8.3-P3:
Prevents a crash when queried for a record whose RDATA exceeds 65535 bytes.
Prevents a crash when validating caused by using "Bad cache" data before it has been initialized.
ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries.
A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process.
For more information: https://kb.isc.org/article/AA-00788
|
238756 |
24-Jul-2012 |
dougb |
MFV r238744:
Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9
High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized.
CVE: CVE-2012-3817 Posting date: 24 July, 2012
Approved by: re (kib)
|
236587 |
04-Jun-2012 |
dougb |
Upgrade to 9.8.3-P1, the latest from ISC. This version contains a critical bugfix:
Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them.
Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered.
All BIND users are strongly encouraged to upgrade.
|
236374 |
01-Jun-2012 |
dougb |
MFV r236171, MFC r236196:
Upgrade to BIND version 9.8.3, the latest from ISC.
Feature Change
* BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities)
Bug Fix
* The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi- threaded environment.
Other critical bug fixes are included.
All BIND users are encouraged to upgrade.
|
234468 |
19-Apr-2012 |
dougb |
MFV r234164/MFC r234165:
The BIND 9.8.2 tarball was re-rolled to remove 9.8.1 release notes. This change was noticed by ISC at:
https://lists.isc.org/pipermail/bind-users/2012-April/087345.html
and verified by me both by comparing the contents of the old and new distfiles and by verifying the PGP signature on the new distfile.
|
234010 |
08-Apr-2012 |
dougb |
MFC r233909:
Add Bv9ARM.pdf to the list of docs to install.
MFV/MFC r233914:
Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
|
228189 |
01-Dec-2011 |
dougb |
Upgrade to BIND 9.8.1-P1 to address the following DDOS bug:
Recursive name servers are failing with an assertion: INSIST(! dns_rdataset_isassociated(sigrdataset))
At this time it is not thought that authoritative-only servers are affected, but information about this bug is evolving rapidly.
Because it may be possible to trigger this bug even on networks that do not allow untrusted users to access the recursive name servers (perhaps via specially crafted e-mail messages, and/or malicious web sites) it is recommended that ALL operators of recursive name servers upgrade immediately.
For more information see: https://www.isc.org/software/bind/advisories/cve-2011-4313 which will be updated as more information becomes available.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313
Approved by: re (kib)
|
227305 |
07-Nov-2011 |
marius |
MFC: r227006, r227281, r227282
Add a PCI front-end to esp(4) allowing it to support AMD Am53C974 and replace amd(4) with the former in the amd64, i386 and pc98 GENERIC kernel configuration files. Besides duplicating functionality, amd(4), which previously also supported the AMD Am53C974, unlike esp(4) is no longer maintained and has accumulated enough bit rot over time to always cause a panic during boot as long as at least one target is attached to it (see PR 124667).
PR: 124667 Approved by: re (kib) Obtained from: NetBSD (based on)
|
225736 |
23-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
225361 |
03-Sep-2011 |
dougb |
Upgrade to BIND version 9.8.1. Release notes at:
https://deepthought.isc.org/article/AA-00446/81/ or /usr/src/contrib/bind9/
Approved by: re (kib)
|
224092 |
16-Jul-2011 |
dougb |
Upgrade to version 9.8.0-P4
This version has many new features, see /usr/share/doc/bind9/README for details.
|
223812 |
06-Jul-2011 |
dougb |
Update to version 9.6-ESV-R4-P3
ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY
This update addresses the following vulnerability:
CVE-2011-2464 ============= Severity: High Exploitable: Remotely
Description:
A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2464
|
223811 |
06-Jul-2011 |
dougb |
Apply bug fixes
Submitted by: marius
|
223758 |
04-Jul-2011 |
attilio |
With retirement of cpumask_t and usage of cpuset_t for representing a mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.
Remove them and replace their usage with custom pc_cpuid magic (as, atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).
This change is not targeted for MFC because of struct pcpu members removal and dependency by cpumask_t retirement.
MD review by: marcel, marius, alc Tested by: pluknet MD testing by: marcel, marius, gonzo, andreast
|
222813 |
07-Jun-2011 |
attilio |
etire the cpumask_t type and replace it with cpuset_t usage.
This is intended to fix the bug where cpu mask objects are capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever value. Anyway, as long as several structures in the kernel are statically allocated and sized as MAXCPU, it is suggested to keep it as low as possible for the time being.
Technical notes on this commit itself: - More functions to handle with cpuset_t objects are introduced. The most notable are cpusetobj_ffs() (which calculates a ffs(3) for a cpuset_t object), cpusetobj_strprint() (which prepares a string representing a cpuset_t object) and cpusetobj_strscan() (which creates a valid cpuset_t starting from a string representation). - pc_cpumask and pc_other_cpus are target to be removed soon. With the moving from cpumask_t to cpuset_t they are now inefficient and not really useful. Anyway, for the time being, please note that access to pcpu datas is protected by sched_pin() in order to avoid migrating the CPU while reading more than one (possible) word - Please note that size of cpuset_t objects may differ between kernel and userland. While this is not directly related to the patch itself, it is good to understand that concept and possibly use the patch as a reference on how to deal with cpuset_t objects in userland, when accessing kernland members. - KTR_CPUMASK is changed and now is represented through a string, to be set as the example reported in NOTES.
Please additively note that no MAXCPU is bumped in this patch, but private testing has been done until to MAXCPU=128 on a real 8x8x2(htt) machine (amd64).
Please note that the FreeBSD version is not yet bumped because of the upcoming pcpu changes. However, note that this patch is not targeted for MFC.
People to thank for the time spent on this patch: - sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested several revision of the patches and really helped in improving stability of this work. - marius fixed several bugs in the sparc64 implementation and reviewed patches related to ktr. - jeff and jhb discussed the basic approach followed. - kib and marcel made targeted review on some specific part of the patch. - marius, art, nwhitehorn and andreast reviewed MD specific part of the patch. - marius, andreast, gonzo, nwhitehorn and jceel tested MD specific implementations of the patch. - Other people have made contributions on other patches that have been already committed and have been listed separately.
Companies that should be mentioned for having participated at several degrees: - Yahoo! for having offered the machines used for testing on big count of CPUs. - The FreeBSD Foundation for having sponsored my devsummit attendance, which has been instrumental. - Sandvine for having offered offices and infrastructure during development.
(I really hope I didn't forget anyone, if it happened I apologize in advance).
|
222395 |
28-May-2011 |
dougb |
Upgrade to 9.6-ESV-R4-P1, which address the following issues:
1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.
This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users.
2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone.
Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used.
|
218384 |
06-Feb-2011 |
dougb |
Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.
All 9.6 users with DNSSEC validation enabled should upgrade to this version, or the latest version in the 9.7 branch, prior to 2011-03-31 in order to avoid validation failures for names in .COM as described here:
https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
In addition the fixes for this and other bugs, there are also the following:
* Various fixes to kerberos support, including GSS-TSIG * Various fixes to avoid leaking memory, and to problems that could prevent a clean shutdown of named
|
216175 |
04-Dec-2010 |
dougb |
Update to version 9.6-ESV-R3, the latest from ISC, which addresses the following security vulnerabilities.
For more information regarding these issues please see: http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC, and querying zones which are in a key rollover period. The bug will cause answers to incorrectly be marked as insecure.
|
214586 |
31-Oct-2010 |
dougb |
Update to 9.6-ESV-R2, the latest from ISC.
This version contains bug fixes that are relevant to any caching/resolving name server; as well as DNSSEC-related fixes.
|
208337 |
20-May-2010 |
dougb |
Upgrade to 9.6.2-P2, which addresses the following;
Named could return SERVFAIL for negative responses from unsigned zones.
|
207736 |
07-May-2010 |
mckusick |
Merger of the quota64 project into head.
This joint work of Dag-Erling Smørgrav and myself updates the FFS quota system to support both traditional 32-bit and new 64-bit quotas (for those of you who want to put 2+Tb quotas on your users).
By default quotas are not compiled into the kernel. To include them in your kernel configuration you need to specify:
options QUOTA # Enable FFS quotas
If you are already running with the current 32-bit quotas, they should continue to work just as they have in the past. If you wish to convert to using 64-bit quotas, use `quotacheck -c 64'; if you wish to revert from 64-bit quotas back to 32-bit quotas, use `quotacheck -c 32'.
There is a new library of functions to simplify the use of the quota system, do `man quotafile' for details. If your application is currently using the quotactl(2), it is highly recommended that you convert your application to use the quotafile interface. Note that existing binaries will continue to work.
Special thanks to John Kozubik of rsync.net for getting me interested in pursuing 64-bit quota support and for funding part of my development time on this project.
|
205292 |
18-Mar-2010 |
dougb |
Update to 9.6.2-P1, the latest patchfix release which deals with the problems related to the handling of broken DNSSEC trust chains.
This fix is only relevant for those who have DNSSEC validation enabled and configure trust anchors from third parties, either manually, or through a system like DLV.
|
204619 |
03-Mar-2010 |
dougb |
Upgrade to version 9.6.2. This version includes all previously released security patches to the 9.6.1 version, as well as many other bug fixes.
This version also incorporates a different fix for the problem we had patched in contrib/bind9/bin/dig/dighost.c, so that file is now back to being the same as the vendor version.
Due to the fact that the DNSSEC algorithm that will be used to sign the root zone is only included in this version and in 9.7.x those who wish to do validation MUST upgrade to one of these prior to July 2010.
|
202961 |
25-Jan-2010 |
dougb |
Upgrade to BIND 9.6.1-P3.
This version address the following vulnerabilities:
BIND 9 Cache Update from Additional Section https://www.isc.org/advisories/CVE-2009-4022v6 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query
BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses https://www.isc.org/advisories/CVE-2010-0097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097 There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly
These issues only affect systems with DNSSEC validation enabled.
|
200202 |
07-Dec-2009 |
marcel |
Fix Read-After-Write (RAW) dependency violation for ar.ccv in isc_atomic_xadd() and isc_atomic_cmpxchg().
Approved by: dougb@ MFC after: 1 week
|
199958 |
30-Nov-2009 |
dougb |
Update to BIND 9.6.1-P2. The vulnerability this is designed to fix is related to DNSSEC validation on a resolving name server that allows access to untrusted users. If your system does not fall into all 3 of these categories you do not need to update immediately.
|
199019 |
07-Nov-2009 |
dougb |
Wrap some socket handling code in a !NULL bow
This patch or something similar will likely be included in a future BIND release.
PR: bin/138061 Submitted by: Michael Baker <michael.baker@diversit.com.au> Original patch submitted by: Volker <volker@vwsoft.com> Patch reviewed and tweaked by: ISC
|
195936 |
29-Jul-2009 |
dougb |
Update to version 9.6.1-P1 which addresses a remote DoS vulnerability:
Receipt of a specially-crafted dynamic update message may cause BIND 9 servers to exit. This vulnerability affects all servers -- it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.
More details can be found here: https://www.isc.org/node/474
All BIND users are encouraged to update to a patched version ASAP.
Approved by: re (re -> SO -> dougb)
|
195000 |
25-Jun-2009 |
dougb |
This is the solution that ISC committed after 9.6.1-release for the gcc warning issue. It should be included in the next upstream release.
|
194995 |
25-Jun-2009 |
dougb |
Update to the final release version of BIND 9.6.1. It has the following changes from the 9.6.1rc1 version. The first 2 only affect DNSSEC.
named could incorrectly delete NSEC3 records for empty nodes when processing a update request.
Accept DS responses from delegation only zones.
"delegation-only" was not being accepted in delegation-only type zones.
|
193202 |
01-Jun-2009 |
dougb |
Local hack to get the build going again while ISC works on a more permanent solution for 9.6.1-release.
"My suggestion is to remove the whole attribute construct. It only suppresses a warning when a function is unused. In this case the function is defined as inline, so it's not causing a warning when not used."
Submitted by: marcel
|
193150 |
31-May-2009 |
dougb |
Update BIND to version 9.6.1rc1. This version has better performance and lots of new features compared to 9.4.x, including:
Full NSEC3 support Automatic zone re-signing New update-policy methods tcp-self and 6to4-self DHCID support. More detailed statistics counters including those supported in BIND 8. Faster ACL processing. Efficient LRU cache-cleaning mechanism. NSID support.
|
193149 |
31-May-2009 |
dougb |
Update BIND to version 9.6.1rc1. This version has better performance and lots of new features compared to 9.4.x, including:
Full NSEC3 support Automatic zone re-signing New update-policy methods tcp-self and 6to4-self DHCID support. More detailed statistics counters including those supported in BIND 8. Faster ACL processing. Efficient LRU cache-cleaning mechanism. NSID support.
|
191517 |
26-Apr-2009 |
ed |
Remove empty directories from the HEAD.
Discussed with: developers, imp
|
190227 |
21-Mar-2009 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.3-P2 import
|
186942 |
09-Jan-2009 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.3-P1 import
|
186462 |
23-Dec-2008 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.3 import
|
182645 |
01-Sep-2008 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.2-P2 import
|
180477 |
12-Jul-2008 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.2-P1 import, including the patch from ISC for lib/bind9/check.c and deletion of unused files in lib/bind.
This version will by default randomize the UDP query source port (and sequence number of course) for every query.
In order to take advantage of this randomization users MUST have an appropriate firewall configuration to allow UDP queries to be sent and answers to be received on random ports; and users MUST NOT specify a port number using the query-source[-v6] options.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate certain port numbers from being chosen by named for this purpose. See the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to resolve random queries (sometimes referred to as "caching" servers, or more properly as "resolving" servers), although even an "authoritative" name server will make some queries, primarily at startup time.
All users of BIND are strongly encouraged to upgrade to the latest version, and to utilize the source port randomization feature.
This update addresses issues raised in: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
|
180475 |
12-Jul-2008 |
dougb |
The vendor area is the proper home for these files now.
|
180457 |
12-Jul-2008 |
peter |
Record baseline merge state.
svn merge --record-only svn+ssh://svn.freebsd.org/base/vendor/bind9/dist .
|
179494 |
02-Jun-2008 |
dougb |
Add proper mime-types for files that they are relevant for. This is useful for things like *.pdf files that svn needs to know about, and will probably be useful down the road for other things.
|
174207 |
03-Dec-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r174206, which included commits to RCS files with non-trunk default branches.
|
174191 |
02-Dec-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r174190, which included commits to RCS files with non-trunk default branches.
|
174188 |
02-Dec-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r174187, which included commits to RCS files with non-trunk default branches.
|
171578 |
25-Jul-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r171577, which included commits to RCS files with non-trunk default branches.
|
170350 |
05-Jun-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r170349, which included commits to RCS files with non-trunk default branches.
|
170227 |
02-Jun-2007 |
dougb |
Update the upgrade notes for BIND 9.4.1
|
170226 |
02-Jun-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r170225, which included commits to RCS files with non-trunk default branches.
|
170223 |
02-Jun-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r170222, which included commits to RCS files with non-trunk default branches.
|
166333 |
29-Jan-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r166332, which included commits to RCS files with non-trunk default branches.
|
165079 |
10-Dec-2006 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r165078, which included commits to RCS files with non-trunk default branches.
|
165072 |
10-Dec-2006 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r165071, which included commits to RCS files with non-trunk default branches.
|
163977 |
04-Nov-2006 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r163976, which included commits to RCS files with non-trunk default branches.
|
162080 |
06-Sep-2006 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r162079, which included commits to RCS files with non-trunk default branches.
|
156813 |
17-Mar-2006 |
ru |
Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html
The src.conf(5) manpage is to follow in a few days.
Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
|
154335 |
14-Jan-2006 |
dougb |
Add a reminder to remove obsolete files from the vendor branch.
|
154033 |
04-Jan-2006 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r154032, which included commits to RCS files with non-trunk default branches.
|
153823 |
29-Dec-2005 |
dougb |
Minor updates relative to the 9.2.3 import
|
153820 |
29-Dec-2005 |
dougb |
Remove files no longer in the BIND 9 distribution
|
153817 |
29-Dec-2005 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r153816, which included commits to RCS files with non-trunk default branches.
|
149246 |
18-Aug-2005 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r149245, which included commits to RCS files with non-trunk default branches.
|
148397 |
25-Jul-2005 |
des |
Update (correct autotools usage, copy generated headers, --disable-threads)
|
143739 |
17-Mar-2005 |
dougb |
Expand and refine a few sections for future reference
|
143738 |
17-Mar-2005 |
dougb |
Delete all aix ports
|
143735 |
17-Mar-2005 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r143734, which included commits to RCS files with non-trunk default branches.
|
143732 |
17-Mar-2005 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r143731, which included commits to RCS files with non-trunk default branches.
|
139115 |
21-Dec-2004 |
ru |
NOINET6 -> NO_INET6
|
135835 |
27-Sep-2004 |
des |
Document the upgrade procedure.
|
135602 |
23-Sep-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r135601, which included commits to RCS files with non-trunk default branches.
|
135549 |
21-Sep-2004 |
des |
Switch from BIND 8 to BIND 9.
Submitted by: (in part) dougb@, trhodes@ Reviewed by: dougb@, trhodes@, re@ MFC after: 5 days
|
135527 |
20-Sep-2004 |
des |
Add lib/tests.
|
135475 |
19-Sep-2004 |
trhodes |
Add a config.h file.
|
135474 |
19-Sep-2004 |
trhodes |
Add a FREEBSD-Xlist file.
|
135472 |
19-Sep-2004 |
trhodes |
This commit was generated by cvs2svn to compensate for changes in r135471, which included commits to RCS files with non-trunk default branches.
|
135447 |
19-Sep-2004 |
trhodes |
This commit was generated by cvs2svn to compensate for changes in r135446, which included commits to RCS files with non-trunk default branches.
|