<revisionlist>
<revision rev="1" vrev="42">
<srcmd5>ff8e3666e9561f7c6c2dfbaf58a9c599</srcmd5>
<version>9.3.2</version>
<time>1166483714</time>
<user>unknown</user>
</revision>
<revision rev="2" vrev="54">
<srcmd5>497db2e04166fd64f35d22c07487d5c0</srcmd5>
<version>9.3.2</version>
<time>1167872002</time>
<user>unknown</user>
</revision>
<revision rev="3" vrev="1">
<srcmd5>fc96e39fcd6b5c9eaf5310d793dde008</srcmd5>
<version>9.3.3</version>
<time>1169216621</time>
<user>unknown</user>
</revision>
<revision rev="4" vrev="1">
<srcmd5>ebafbe713583d21afa54b3aae3752cd4</srcmd5>
<version>9.3.4</version>
<time>1169770199</time>
<user>unknown</user>
</revision>
<revision rev="5" vrev="1">
<srcmd5>9fff1bea8010ba6ae138d25883bda63d</srcmd5>
<version>9.4.0</version>
<time>1172823396</time>
<user>unknown</user>
</revision>
<revision rev="6" vrev="2">
<srcmd5>5edc53434e73661ac1724ae96802982b</srcmd5>
<version>9.4.0</version>
<time>1173168095</time>
<user>unknown</user>
</revision>
<revision rev="7" vrev="6">
<srcmd5>7183f66a961046095f04d599a4e35036</srcmd5>
<version>9.4.0</version>
<time>1175173599</time>
<user>unknown</user>
</revision>
<revision rev="8" vrev="7">
<srcmd5>fe769d0616dcdea8e449b1144216379b</srcmd5>
<version>9.4.0</version>
<time>1175264817</time>
<user>unknown</user>
</revision>
<revision rev="9" vrev="1">
<srcmd5>7be50652909eed1337d8e4c8997fcb5d</srcmd5>
<version>9.4.1</version>
<time>1178464287</time>
<user>unknown</user>
</revision>
<revision rev="10" vrev="3">
<srcmd5>c3a7584294792fbed74a2c6fe4fc228e</srcmd5>
<version>9.4.1</version>
<time>1179393748</time>
<user>unknown</user>
</revision>
<revision rev="11" vrev="5">
<srcmd5>3756c1676746e00267d0d0c9dbc0ecaa</srcmd5>
<version>9.4.1</version>
<time>1180217423</time>
<user>unknown</user>
</revision>
<revision rev="12" vrev="1">
<srcmd5>13753e356e9977be9625ae25bb5171e9</srcmd5>
<version>9.4.1.P1</version>
<time>1186675276</time>
<user>unknown</user>
</revision>
<revision rev="13" vrev="1">
<srcmd5>77fa2703d852941baec4d0582beb6eeb</srcmd5>
<version>9.4.2</version>
<time>1196957428</time>
<user>unknown</user>
</revision>
<revision rev="14" vrev="17">
<srcmd5>01873fe352e2262526752c68c09d271e</srcmd5>
<version>9.4.2</version>
<time>1204159757</time>
<user>unknown</user>
</revision>
<revision rev="15" vrev="27">
<srcmd5>a2d62a5dae4a19f6398c3be6a61ebc91</srcmd5>
<version>9.4.2</version>
<time>1207825719</time>
<user>unknown</user>
</revision>
<revision rev="16" vrev="33">
<srcmd5>77bc23a559c79cf41d91d14aa7b0d096</srcmd5>
<version>9.4.2</version>
<time>1210092751</time>
<user>unknown</user>
</revision>
<revision rev="17" vrev="45">
<srcmd5>68fed1c9af64e0cea74435628f67e9c2</srcmd5>
<version>9.4.2</version>
<time>1216155920</time>
<user>unknown</user>
</revision>
<revision rev="18" vrev="1">
<srcmd5>6a34ad941827e59fb28fc151b7ad5f84</srcmd5>
<version>9.5.0P1</version>
<time>1216675545</time>
<user>unknown</user>
</revision>
<revision rev="19" vrev="4">
<srcmd5>ca86c89ed4b7a6748817d8337ba4dea5</srcmd5>
<version>9.5.0P1</version>
<time>1217152460</time>
<user>unknown</user>
</revision>
<revision rev="20" vrev="1">
<srcmd5>549e9a73b81deb808646267d3e39bf5b</srcmd5>
<version>9.5.0P2</version>
<time>1218662472</time>
<user>unknown</user>
</revision>
<revision rev="21" vrev="4">
<srcmd5>4380d305448f7d747c68a20cf10e5422</srcmd5>
<version>9.5.0P2</version>
<time>1219708005</time>
<user>unknown</user>
</revision>
<revision rev="22" vrev="7">
<srcmd5>1e876e6d04d0cf21ff49f4dd16e61ef9</srcmd5>
<version>9.5.0P2</version>
<time>1220637569</time>
<user>unknown</user>
</revision>
<revision rev="23" vrev="14">
<srcmd5>c1f882f0addad57a2955208b8a10a21d</srcmd5>
<version>9.5.0P2</version>
<time>1223303011</time>
<user>unknown</user>
</revision>
<revision rev="24" vrev="15">
<srcmd5>b9216add8f01a46cb351ce57bba9f26c</srcmd5>
<version>9.5.0P2</version>
<time>1225636465</time>
<user>unknown</user>
</revision>
<revision rev="25" vrev="16">
<srcmd5>86362d92f3bac630b1504a8a9d0bd656</srcmd5>
<version>9.5.0P2</version>
<time>1226936507</time>
<user>unknown</user>
</revision>
<revision rev="26" vrev="17">
<srcmd5>8ad402632eaac85fec042a166df63d99</srcmd5>
<version>9.5.0P2</version>
<time>1227879999</time>
<user>unknown</user>
</revision>
<revision rev="27" vrev="18">
<srcmd5>b2601f6bcca342ec55ba914dfb604089</srcmd5>
<version>9.5.0P2</version>
<time>1229339967</time>
<user>unknown</user>
</revision>
<revision rev="28" vrev="1">
<srcmd5>7ab2f68fa1ba635a66e84e2425a37e87</srcmd5>
<version>9.6.0P1</version>
<time>1233949210</time>
<user>unknown</user>
</revision>
<revision rev="29" vrev="2">
<srcmd5>faacaa323778ac5e458a3bc7dc74a7d9</srcmd5>
<version>9.6.0P1</version>
<time>1235162344</time>
<user>unknown</user>
</revision>
<revision rev="30" vrev="3">
<srcmd5>4bdb2298d5f678d9a7d2b2c173a6ae7a</srcmd5>
<version>9.6.0P1</version>
<time>1236554277</time>
<user>unknown</user>
</revision>
<revision rev="31" vrev="4">
<srcmd5>282654768d460cd130911e6e614ae69d</srcmd5>
<version>9.6.0P1</version>
<time>1240512460</time>
<user>unknown</user>
</revision>
<revision rev="32" vrev="1">
<srcmd5>1ce5422c19ee0ef863e02b74bc1e1680</srcmd5>
<version>9.6.1</version>
<time>1245447436</time>
<user>unknown</user>
</revision>
<revision rev="33" vrev="2">
<srcmd5>d1cac6c85ffd3ade6603fd995992d2c4</srcmd5>
<version>9.6.1</version>
<time>1246633148</time>
<user>unknown</user>
</revision>
<revision rev="34" vrev="1">
<srcmd5>3fd8afcdfd82a64ad13c19066edb370b</srcmd5>
<version>9.6.1P1</version>
<time>1250176821</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 17349 from user ug
</comment>
</revision>
<revision rev="35" vrev="2">
<srcmd5>da69f17f5ea5a5ffffb19c5e647000ce</srcmd5>
<version>9.6.1P1</version>
<time>1254518964</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 21418 from user ug
</comment>
</revision>
<revision rev="36" vrev="4">
<srcmd5>da69f17f5ea5a5ffffb19c5e647000ce</srcmd5>
<version>9.6.1P1</version>
<time>1254518964</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 21418 from user ug
</comment>
</revision>
<revision rev="37" vrev="5">
<srcmd5>dc24ed1427334b27ac2b2c99f09ff675</srcmd5>
<version>9.6.1P1</version>
<time>1258363910</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 24471 from user msmeissn
</comment>
</revision>
<revision rev="38" vrev="6">
<srcmd5>320d906e4f3bea625b7f76333d628156</srcmd5>
<version>9.6.1P1</version>
<time>1258540182</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 24628 from user ug
</comment>
</revision>
<revision rev="39" vrev="7">
<srcmd5>cbd36273476dc7f29241d3f1c9262d47</srcmd5>
<version>9.6.1P1</version>
<time>1258971068</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 24759 from user ug
</comment>
</revision>
<revision rev="40" vrev="1">
<srcmd5>af8cc711948ebd262be4299dba59cc8a</srcmd5>
<version>9.6.1P2</version>
<time>1259322976</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 25024 from user ug
</comment>
</revision>
<revision rev="41" vrev="2">
<srcmd5>8bf5ab8c41b1ba6d2c6ae365863dbf7b</srcmd5>
<version>9.6.1P2</version>
<time>1262865278</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 28015 from user ug
</comment>
</revision>
<revision rev="42" vrev="1">
<srcmd5>777c54adac210db36c448945648637c8</srcmd5>
<version>9.6.1P3</version>
<time>1264066950</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 30072 from user ug
</comment>
</revision>
<revision rev="43" vrev="1">
<srcmd5>723806463321ed850c7515385ef63c70</srcmd5>
<version>9.7.0</version>
<time>1266497245</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 32791 from user ug
</comment>
</revision>
<revision rev="44" vrev="2">
<srcmd5>7cf07f480d4335e4b1f4503eb4d7b5c1</srcmd5>
<version>9.7.0</version>
<time>1268923023</time>
<user>autobuild</user>
</revision>
<revision rev="45" vrev="3">
<srcmd5>a5409d40c426688b76e04e3884e0c4fa</srcmd5>
<version>9.7.0</version>
<time>1271186444</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 37088 from user ug
</comment>
<requestid>37088</requestid>
</revision>
<revision rev="46" vrev="4">
<srcmd5>e8af43bfcc2d73ae43fbf11a83343eac</srcmd5>
<version>9.7.0</version>
<time>1272914133</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 39284 from user ug
</comment>
<requestid>39284</requestid>
</revision>
<revision rev="47" vrev="1">
<srcmd5>88c5e20bf3e9f23f4be8ed9090040417</srcmd5>
<version>9.7.0P2</version>
<time>1274775673</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 40419 from user ug
</comment>
<requestid>40419</requestid>
</revision>
<revision rev="48" vrev="1">
<srcmd5>baf41c70ef4591dcd4728278e88d0558</srcmd5>
<version>9.7.1</version>
<time>1277196338</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 41829 from user ug
</comment>
<requestid>41829</requestid>
</revision>
<revision rev="49" vrev="2">
<srcmd5>baf41c70ef4591dcd4728278e88d0558</srcmd5>
<version>9.7.1</version>
<time>1278667337</time>
<user>autobuild</user>
<comment>release number sync</comment>
</revision>
<revision rev="50" vrev="3">
<srcmd5>baf41c70ef4591dcd4728278e88d0558</srcmd5>
<version>9.7.1</version>
<time>1278678565</time>
<user>autobuild</user>
<comment>release number sync</comment>
</revision>
<revision rev="51" vrev="4">
<srcmd5>dc03643b0385b1db441abfda09a4778d</srcmd5>
<version>9.7.1</version>
<time>1280498386</time>
<user>autobuild</user>
<comment>Copy from network/bind based on submit request 43979 from user ug
</comment>
<requestid>43979</requestid>
</revision>
<revision rev="52" vrev="4">
<srcmd5>91c9abba8f99432ff863ee50dd855442</srcmd5>
<version>9.7.2P2</version>
<time>1290517207</time>
<user>azouhr</user>
<comment>Accepted submit request 53765 from user ug
</comment>
<requestid>53765</requestid>
</revision>
<revision rev="53" vrev="5">
<srcmd5>a905da2f40a2003bf1260554928992df</srcmd5>
<version>9.7.2P2</version>
<time>1290517214</time>
<user>azouhr</user>
<comment>Autobuild autoformatter for 53765
</comment>
</revision>
<revision rev="54" vrev="6">
<srcmd5>636d88603eb0e0652b6b8482c52fabdd</srcmd5>
<version>9.7.2P2</version>
<time>1290520455</time>
<user>darix</user>
<comment>Accepted submit request 53778 from user ug
</comment>
<requestid>53778</requestid>
</revision>
<revision rev="55" vrev="7">
<srcmd5>4e511241b7cd7ec7c5a3166925d387fb</srcmd5>
<version>9.7.2P2</version>
<time>1290520465</time>
<user>darix</user>
<comment>Autobuild autoformatter for 53778
</comment>
</revision>
<revision rev="56" vrev="2">
<srcmd5>af30b23221ded6be5de71ac8dbf15285</srcmd5>
<version>9.7.2P3</version>
<time>1291586810</time>
<user>lrupp</user>
<comment>Accepted submit request 54349 from user ug
</comment>
<requestid>54349</requestid>
</revision>
<revision rev="57" vrev="3">
<srcmd5>4d84db17c8e8314b02fc028ae371b0c8</srcmd5>
<version>9.7.2P3</version>
<time>1291586817</time>
<user>lrupp</user>
<comment>Autobuild autoformatter for 54349
</comment>
</revision>
<revision rev="58" vrev="4">
<srcmd5>2613630ebc2a2f7de1dd8bc08266e304</srcmd5>
<version>9.7.2P3</version>
<time>1292768246</time>
<user>lrupp</user>
<comment>Accepted submit request 56204 from user msmeissn
</comment>
<requestid>56204</requestid>
</revision>
<revision rev="59" vrev="5">
<srcmd5>6480b8c916658dc915498c10d5261a51</srcmd5>
<version>9.7.2P3</version>
<time>1292768255</time>
<user>lrupp</user>
<comment>Autobuild autoformatter for 56204
</comment>
</revision>
<revision rev="60" vrev="8">
<srcmd5>6480b8c916658dc915498c10d5261a51</srcmd5>
<version>9.7.2P3</version>
<time>1297941524</time>
<user>autobuild</user>
<comment>11.4 source split</comment>
</revision>
<revision rev="61" vrev="2">
<srcmd5>ea9a69d857f395935e29973a29a2d2db</srcmd5>
<version>9.7.3</version>
<time>1298547369</time>
<user>saschpe</user>
<comment>Accepted submit request 62687 from user ug
</comment>
<requestid>62687</requestid>
</revision>
<revision rev="62" vrev="3">
<srcmd5>fc6ebd4e606db55c412eff7c4f024812</srcmd5>
<version>9.7.3</version>
<time>1298547378</time>
<user>saschpe</user>
<comment>Autobuild autoformatter for 62687
</comment>
</revision>
<revision rev="63" vrev="1">
<srcmd5>0d5394ebea7d6dc2867c652a4ff2b2e6</srcmd5>
<version>9.8.0</version>
<time>1306138064</time>
<user>saschpe</user>
<comment>add update-desktop-utils to buildrequires for desktop file (forwarded request 70688 from msmeissn)</comment>
<requestid>70812</requestid>
</revision>
<revision rev="64" vrev="2">
<srcmd5>d06dec851d94f4205c5f6cc333041cb6</srcmd5>
<version>9.8.0</version>
<time>1306398110</time>
<user>saschpe</user>
<comment>- Build with -DNO_VERSION_DATE to avoid timestamps in binaries. (forwarded request 71091 from elvigia)</comment>
<requestid>71177</requestid>
</revision>
<revision rev="65" vrev="3">
<srcmd5>fea1fbd75031e889bbc1a2cec6f8a60f</srcmd5>
<version>9.8.0</version>
<time>1306398121</time>
<user>saschpe</user>
<comment>Autobuild autoformatter for 71177
</comment>
</revision>
<revision rev="66" vrev="2">
<srcmd5>e892d9cc2e6a13ac69c77e11be1e9dd3</srcmd5>
<version>9.8.0P4</version>
<time>1312380536</time>
<user>saschpe</user>
<comment></comment>
<requestid>77846</requestid>
</revision>
<revision rev="67" vrev="3">
<srcmd5>32e9731907087fb1e74924ebcae1085b</srcmd5>
<version>9.8.0P4</version>
<time>1312380548</time>
<user>saschpe</user>
<comment>Autobuild autoformatter for 77846
</comment>
</revision>
<revision rev="68" vrev="4">
<srcmd5>332ab7e9ad7598b7964d50a173e2fb04</srcmd5>
<version>9.8.0P4</version>
<time>1314889133</time>
<user>saschpe</user>
<comment>bnc#710430 (forwarded request 80345 from rhafer)</comment>
<requestid>80484</requestid>
</revision>
<revision rev="69" vrev="5">
<srcmd5>44c0395a9718254f2076b18e61c6f0bd</srcmd5>
<version>9.8.0P4</version>
<time>1314889143</time>
<user>saschpe</user>
<comment>Autobuild autoformatter for 80484
</comment>
</revision>
<revision rev="70" vrev="1">
<srcmd5>160be3b278390ce4c38313835b858bfe</srcmd5>
<version>9.8.1</version>
<time>1315232429</time>
<user>lrupp</user>
<comment>* fixed SSL in chroot environment (bnc#715881)
* Added a new include file with function typedefs for the DLZ
"dlopen" driver. [RT #23629]
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
* The root key is now provided in the file bind.keys allowing DNSSEC
validation to be switched on at start up by adding
"dnssec-validation auto;" to named.conf. If the root key provided
has expired, named will log the expiration and validation will not
work. More information and the most current copy of bind.keys can
be found at http://www.isc.org/bind-keys. *Please note this feature
was actually added in 9.8.0 but was not included in the 9.8.0
release notes. [RT #21727]
* If named is configured with a response policy zone (RPZ) and a
query of type RRSIG is received for a name configured for RRset
replacement in that RPZ, it will trigger an INSIST and crash the
server. RRSIG. [RT #24280]
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
query type independant. [RT #24715]
* Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label can cause named to crash. Now logs that
DNAME is not supported. [RT #24766]
* Change #2912 populated the message section in replies to UPDATE</comment>
<requestid>80897</requestid>
</revision>
<revision rev="71" vrev="2">
<srcmd5>78316600abf83335736a5cdf12c574a0</srcmd5>
<version>9.8.1</version>
<time>1316459094</time>
<user>lrupp</user>
<comment>- very first restart can create broken chroot
(bnc#718441)</comment>
<requestid>82468</requestid>
</revision>
<revision rev="72" vrev="3">
<srcmd5>4549db8a3f908f7c578270a20304af8e</srcmd5>
<version>9.8.1</version>
<time>1317740053</time>
<user>oertel</user>
<comment>add libtool as buildrequires so we no longer rely on libtool in the project config of factory - it's only needed by <10% of all packages (forwarded request 85954 from coolo)</comment>
<requestid>86242</requestid>
</revision>
<revision rev="73" vrev="5">
<srcmd5>4549db8a3f908f7c578270a20304af8e</srcmd5>
<version>9.8.1</version>
<time>1319181788</time>
<user>adrianSuSE</user>
</revision>
<revision rev="74" vrev="6">
<srcmd5>06039f5aa40d2e79f77e87887f822943</srcmd5>
<version>9.8.1</version>
<time>1319635267</time>
<user>coolo</user>
<comment>- on a 64bit system a chrooted bind failed to start if 32bit
libs were installed (bnc#716745)</comment>
<requestid>89350</requestid>
</revision>
<revision rev="75" vrev="1">
<srcmd5>010e9ccff0d931a5ba4f3e0bd97e8295</srcmd5>
<version>9.8.1P1</version>
<time>1330618726</time>
<user>coolo</user>
<comment>Automatic submission by obs-autosubmit</comment>
<requestid>106242</requestid>
</revision>
<revision rev="76" vrev="1">
<srcmd5>353e274e744585e5a2b1f22650247b09</srcmd5>
<version>9.9.0</version>
<time>1336472728</time>
<user>coolo</user>
<comment>- many dnssec fixes and features (too many to list them
here, check the changelog)
- improved startup time
- improved scalability
- Added support for Uniform Resource Identifier (URI) resource
records
- Local copies of slave zones are now saved in raw format by
default to improve startup performance
BIND 9.9 changes the default storage format for slave zone
files from text to raw. Because named's behavior when a slave
server cannot read or parse a zone file is to move the offending
file out of the way and retransfer the zone, slave servers
that are updated from a pre-9.9.0 version of BIND and which
have existing copies of slave zone data may wind up with
extraneous copies of zone data stored, as the existing
text-format zone file copies will be moved aside to filenames
of the format db-###### and journal files to the format
jn-###### (where # represents a hexadecimal digit.)
- many many bugfixes. Please read changelog for details
- fixed handling of TXT records in ldapdump
(bnc#743758)
- 9.9.0</comment>
<requestid>116455</requestid>
</revision>
<revision rev="77" vrev="2">
<srcmd5>cc2793224a76660cc83010d109b823dd</srcmd5>
<version>9.9.0</version>
<time>1336655590</time>
<user>coolo</user>
<comment>- added patch to fix an assertion failure</comment>
<requestid>120594</requestid>
</revision>
<revision rev="78" vrev="1">
<srcmd5>e45f05d27be9d159f07a8f32b4373dc8</srcmd5>
<version>9.9.1</version>
<time>1337757699</time>
<user>coolo</user>
<comment>- this version has no new features but only bugfixes
- Addresses a race condition that can cause named to to crash when
the masters list for a zone is updated via rndc reload/reconfig
- Fixes a race condition in zone.c that can cause named to crash
during the processing of rndc delzone
- Prevents a named segfault from resolver.c due to procedure
fctx_finddone() not being thread-safe
- SDB now handles unexpected errors from back-end database drivers
gracefully instead of exiting on an assert.
- Prevents named crashes as a result of dereferencing a NULL pointer
in zmgr_start_xfrin_ifquota if the zone was being removed while
there were zone transfers still pending
- Corrects a parser bug that could cause named to crash while
reading a malformed zone file
- many more smaller fixes
- version 9.9.1</comment>
<requestid>121732</requestid>
</revision>
<revision rev="79" vrev="1">
<srcmd5>3c3047e547c5a4f3b78ff74f793becdf</srcmd5>
<version>9.9.1P1</version>
<time>1338991536</time>
<user>coolo</user>
<comment>- updated dnszone-schema.txt
- VUL-0: bind remote DoS via zero length rdata field
CVE-2012-1667
bnc#765315
- 9.9.1-P1</comment>
<requestid>123696</requestid>
</revision>
<revision rev="80" vrev="3">
<srcmd5>3c3047e547c5a4f3b78ff74f793becdf</srcmd5>
<version>9.9.1P1</version>
<time>1340183201</time>
<user>adrianSuSE</user>
<comment>branched from openSUSE:Factory</comment>
</revision>
<revision rev="81" vrev="1">
<srcmd5>4ee7ce660a4c488f8621958c40df3bec</srcmd5>
<version>9.9.1P2</version>
<time>1343734032</time>
<user>coolo</user>
<comment>- Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [RT #30025]
(bnc#772945)
- ISC_QUEUE handling for recursive clients was updated to address a
race condition that could cause a memory leak. This rarely occurred
with UDP clients, but could be a significant problem for a server
handling a steady rate of TCP queries. [RT #29539 & #30233]
- Under heavy incoming TCP query loads named could experience a
memory leak which could lead to significant reductions in query
response or cause the server to be terminated on systems with
"out of memory" killers. [RT #29539]
(bnc#772946)
- A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [RT #29644]
- 9.9.1-P2
- license update: ISC
ISC is generally seen as the correct license for bind</comment>
<requestid>128983</requestid>
</revision>
<revision rev="82" vrev="1">
<srcmd5>a57666340c5160292c1df5c79300be8a</srcmd5>
<version>9.9.1P3</version>
<time>1347882476</time>
<user>coolo</user>
<comment>- Named could die on specially crafted record.
[RT #30416] (bnc#780157) CVE-2012-4244
- 9.9.1-P3
- updated dnszone-schema.txt from upstream.</comment>
<requestid>134434</requestid>
</revision>
<revision rev="83" vrev="2">
<srcmd5>33aece0a925bc3787b5072415d29aaef</srcmd5>
<version>9.9.1P3</version>
<time>1351155547</time>
<user>namtrac</user>
<comment>- Specially crafted DNS data can cause a lockup in named.
CVE-2012-5166, bnc#784602.
- 9.9.1-P4</comment>
<requestid>138821</requestid>
</revision>
<revision rev="84" vrev="1">
<srcmd5>9f750eaa6f8151e05d9a24576bb60551</srcmd5>
<version>9.9.2</version>
<time>1353133152</time>
<user>coolo</user>
<comment>- updated to 9.9.2
https://kb.isc.org/article/AA-00798
Security:
* A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad
cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of the
named process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone
to determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;
it will not be built or installed on systems that do not have a python
interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can</comment>
<requestid>141386</requestid>
</revision>
<revision rev="85" vrev="2">
<srcmd5>f1d8418a88abcfdec28eca899c2c956f</srcmd5>
<version>9.9.2</version>
<time>1353402916</time>
<user>coolo</user>
<comment>- added a ratelimiting (draft RFC) patch from Paul Vixie.
see http://www.redbarn.org/dns/ratelimits
suggested by Stefan Schaefer <stefan@invis-server.org></comment>
<requestid>141805</requestid>
</revision>
<revision rev="86" vrev="1">
<srcmd5>0ba07898307f5455897ad3ac12bf7908</srcmd5>
<version>9.9.2P1</version>
<time>1354885607</time>
<user>namtrac</user>
<comment>- Updated to 9.9.2-P1 (bnc#792926)
https://kb.isc.org/article/AA-00828
* Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result of
specific queries that are received. (Note that this fix is a subset
of a series of updates that will be included in full in BIND 9.8.5
and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
A condition has been corrected where improper handling of zero-length
RDATA could cause undesirable behavior, including termination of
the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with
UDP clients, but could be a significant problem for a server handling
a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone,
or which DLV records should be published in a DLV zone, and queries
the DNS to ensure that it exists. (Note: This tool depends on python;</comment>
<requestid>144433</requestid>
</revision>
<revision rev="87" vrev="3">
<srcmd5>0ba07898307f5455897ad3ac12bf7908</srcmd5>
<version>9.9.2P1</version>
<time>1359108700</time>
<user>adrianSuSE</user>
<comment>Split 12.3 from Factory</comment>
</revision>
<revision rev="88" vrev="4">
<srcmd5>11650b86c26e679db89ebdc7eb2eea8e</srcmd5>
<version>9.9.2P1</version>
<time>1364472599</time>
<user>coolo</user>
<comment>- Updated to 9.9.2-P2 (bnc#811876)
Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266
* Security Fixes
Removed the check for regex.h in configure in order to disable regex
syntax checking, as it exposes BIND to a critical flaw in libregex
on some platforms. [RT #32688]
- added gpg key source verification</comment>
<requestid>161413</requestid>
</revision>
<revision rev="89" vrev="5">
<srcmd5>71ec0411ddf04255f4937521b112b6a4</srcmd5>
<version>9.9.2P1</version>
<time>1368448991</time>
<user>coolo</user>
<comment>- Use updated config.guess/sub in the embedded idnkit sources (forwarded request 174818 from Andreas_Schwab)</comment>
<requestid>174827</requestid>
</revision>
<revision rev="90" vrev="1">
<srcmd5>9a0c7735ae94cc5656895c347d3a4f32</srcmd5>
<version>9.9.3P1</version>
<time>1372740264</time>
<user>coolo</user>
<comment>- Updated to 9.9.3-P1
Various bugfixes and some feature fixes. (see CHANGES files)
Security and maintenance issues:
- [security] Caching data from an incompletely signed zone could
trigger an assertion failure in resolver.c [RT #33690]
- [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
- [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
- [bug] Fixed several Coverity warnings.
Note: This change includes a fix for a bug that
was subsequently determined to be an exploitable
security vulnerability, CVE-2012-5688: named could
die on specific queries with dns64 enabled.
[RT #30996]
- [maint] Added AAAA for D.ROOT-SERVERS.NET.
- [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
- Updated to current rate limiting + rpz patch from
http://ss.vix.su/~vjs/rrlrpz.html
- moved dnssec-* helpers to bind-utils package. bnc#813911</comment>
<requestid>181326</requestid>
</revision>
<revision rev="91" vrev="2">
<srcmd5>cca9582686be0c8f8809fb17fe3c73eb</srcmd5>
<version>9.9.3P1</version>
<time>1374155255</time>
<user>coolo</user>
<comment>-></comment>
<requestid>183526</requestid>
</revision>
<revision rev="92" vrev="3">
<srcmd5>5c9fa314c0123c4a1f62432ca50ac838</srcmd5>
<version>9.9.3P1</version>
<time>1374701438</time>
<user>coolo</user>
<comment>- Remove non-working apparmor profiles (bnc#740327).</comment>
<requestid>184213</requestid>
</revision>
<revision rev="93" vrev="1">
<srcmd5>8d960fa9cdc3ac74d29c68f7b18a62f8</srcmd5>
<version>9.9.3P2</version>
<time>1376152105</time>
<user>scarabeus_factory</user>
<comment>- Systemd doesn't set $TERM, and hence breaks tput (bnc#823175).
- Improve pie_compile.diff (bnc#828874).
- dnssec-checkds and dnssec-coverage need python-base.
- disable rpath in libtool.
- Update to 9.9.3P2 fixes CVE-2013-4854, bnc#831899.
* Incorrect bounds checking on private type 'keydata' can lead
to a remotely triggerable REQUIRE failure.</comment>
<requestid>186266</requestid>
</revision>
<revision rev="94" vrev="3">
<srcmd5>8d960fa9cdc3ac74d29c68f7b18a62f8</srcmd5>
<version>9.9.3P2</version>
<time>1379662035</time>
<user>adrianSuSE</user>
<comment>Split 13.1 from Factory</comment>
</revision>
<revision rev="95" vrev="4">
<srcmd5>3ac834e5b522a02be3ccb86f016457e8</srcmd5>
<version>9.9.3P2</version>
<time>1386936102</time>
<user>coolo</user>
<comment>- Fix generation of /etc/named.conf.include
(bnc#828678, bnc#848777, bnc#814978).</comment>
<requestid>210487</requestid>
</revision>
<revision rev="96" vrev="1">
<srcmd5>053f0b364bfe5259a77ae4d801385c32</srcmd5>
<version>9.9.4P2</version>
<time>1391105648</time>
<user>coolo</user>
<comment>- Add the sdb-ldap backend module (fate#313216).
- Details can be found here:
* http://bind9-ldap.bayour.com/
* http://bind9-ldap.bayour.com/dnszonehowto.html
- Update to version 9.9.4P2
* Fixes named crash when handling malformed NSEC3-signed zones
(CVE-2014-0591, bnc#858639)
* Obsoletes workaround-compile-problem.diff
- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now
supported upstream (--enable-rrl).</comment>
<requestid>215020</requestid>
</revision>
<revision rev="97" vrev="2">
<srcmd5>ac20fe916860bd5a11a3f4eadb260564</srcmd5>
<version>9.9.4P2</version>
<time>1400783857</time>
<user>coolo</user>
<comment>- use %_rundir macro
- Remove obsolete patch "workaround-compile-problem.diff"</comment>
<requestid>233016</requestid>
</revision>
<revision rev="98" vrev="3">
<srcmd5>4cfa2d98e78db7eae62085cb7fdbb613</srcmd5>
<version>9.9.4P2</version>
<time>1401958177</time>
<user>coolo</user>
<comment>add stuff for DNSSEC validation to named.conf (forwarded request 235970 from computersalat)</comment>
<requestid>236023</requestid>
</revision>
<revision rev="99" vrev="1">
<srcmd5>ca5e9cdcaf7bec22e317828be0af4792</srcmd5>
<version>9.9.5P1</version>
<time>1407227056</time>
<user>coolo</user>
<comment>1</comment>
<requestid>243383</requestid>
</revision>
<revision rev="100" vrev="3">
<srcmd5>ca5e9cdcaf7bec22e317828be0af4792</srcmd5>
<version>9.9.5P1</version>
<time>1409300562</time>
<user>adrianSuSE</user>
<comment>Split 13.2 from Factory</comment>
</revision>
<revision rev="101" vrev="4">
<srcmd5>59d4e4d64874dcb72cd4962453f53850</srcmd5>
<version>9.9.5P1</version>
<time>1410795638</time>
<user>coolo</user>
<comment>1</comment>
<requestid>248826</requestid>
</revision>
<revision rev="102" vrev="5">
<srcmd5>7089104564cc44b51ca73d227c9839ea</srcmd5>
<version>unknown</version>
<time>1418978488</time>
<user>dimstar_suse</user>
<comment>- Corrections to baselibs.conf
- Update to version 9.10.1-P1
- A flaw in delegation handling could be exploited to put named into an
infinite loop. This has been addressed by placing limits on the number of
levels of recursion named will allow (default 7), and the number of
iterative queries that it will send (default 50) before terminating a
recursive query (CVE-2014-8500); (bnc#908994).
The recursion depth limit is configured via the "max-recursion-depth"
option, and the query limit via the "max-recursion-queries" option.
[RT #37580]
- When geoip-directory was reconfigured during named run-time, the
previously loaded GeoIP data could remain, potentially causing wrong ACLs
to be used or wrong results to be served based on geolocation
(CVE-2014-8680). [RT #37720]; (bnc#908995).
- Lookups in GeoIP databases that were not loaded could cause an assertion
failure (CVE-2014-8680). [RT #37679]; (bnc#908995).
- The caching of GeoIP lookups did not always handle address families
correctly, potentially resulting in an assertion failure (CVE-2014-8680).
[RT #37672]; (bnc#908995).
- Convert some hard PreReq to leaner Requires(pre).
- Typographical and orthographic fixes to description texts.
- Fix bashisms in the createNamedConfInclude script.
- Post scripts: remove '-e' option of 'echo' that may be unsupported
in some POSIX-compliant shells.
- Add openssl engines to the lwresd chroot.
- Add /etc/lwresd.conf with attribute ghost to the list of files.</comment>
<requestid>264811</requestid>
</revision>
<revision rev="103" vrev="6">
<srcmd5>5677eadacd41a04b1c08d8b430d36be9</srcmd5>
<version>unknown</version>
<time>1421959732</time>
<user>dimstar_suse</user>
<comment>Automatic submission by obs-autosubmit</comment>
<requestid>282345</requestid>
</revision>
<revision rev="104" vrev="7">
<srcmd5>f56d17d0e6bd8b7f6380af15cddc44e8</srcmd5>
<version>unknown</version>
<time>1423812887</time>
<user>dimstar_suse</user>
<comment>- PowerPC can build shared libraries for sure.
idnkit-powerpc-ltconfig.patch (forwarded request 285468 from k0da)</comment>
<requestid>285623</requestid>
</revision>
<revision rev="105" vrev="8">
<srcmd5>e0b268d1b12a9abf5edc7aec8ae2dbda</srcmd5>
<version>unknown</version>
<time>1431248218</time>
<user>coolo</user>
<comment>- Depend on systemd macros and sysvinit on post-12.3 only.
- Create empty lwresd.conf at build time.
- Reduce file list pre-13.1.
- Update to version 9.10.2
- Handle timeout in legacy system test. [RT #38573]
- dns_rdata_freestruct could be called on a uninitialised structure when
handling a error. [RT #38568]
- Addressed valgrind warnings. [RT #38549]
- UDP dispatches could use the wrong pseudorandom
number generator context. [RT #38578]
- Fixed several small bugs in automatic trust anchor management, including a
memory leak and a possible loss of key state information. [RT #38458]
- 'dnssec-dsfromkey -T 0' failed to add ttl field. [RT #38565]
- Revoking a managed trust anchor and supplying an untrusted replacement
could cause named to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
- Fix a leak of query fetchlock. [RT #38454]
- Fix a leak of pthread_mutexattr_t. [RT #38454]
- RPZ could send spurious SERVFAILs in response
to duplicate queries. [RT #38510]
- CDS and CDNSKEY had the wrong attributes. [RT #38491]
- adb hash table was not being grown. [RT #38470]
- Update bind.keyring
- Update baselibs.conf due to updates to libdns160 and libisc148
- Enable export libraries to support plugin development.
Install DNSSEC root key.
Expose new interface for developing dynamic zone database.
+ dns_dynamic_db.patch</comment>
<requestid>305964</requestid>
</revision>
<revision rev="106" vrev="9">
<srcmd5>6ca19c17585435eea39f64136c907188</srcmd5>
<version>unknown</version>
<time>1436111894</time>
<user>coolo</user>
<comment>Automatic submission by obs-autosubmit</comment>
<requestid>313681</requestid>
</revision>
<revision rev="107" vrev="10">
<srcmd5>af4809a4344ffa81b05a5357eb816f5a</srcmd5>
<version>unknown</version>
<time>1437477998</time>
<user>coolo</user>
<comment>Automatic submission by obs-autosubmit</comment>
<requestid>317302</requestid>
</revision>
<revision rev="108" vrev="11">
<srcmd5>febf7b53e306032977007625642524e4</srcmd5>
<version>unknown</version>
<time>1439190746</time>
<user>dimstar_suse</user>
<comment>- Update to version 9.10.2-P3
Security Fixes
* A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #39795]
* On servers configured to perform DNSSEC validation, an assertion failure
could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone load was
already in progress; this could trigger a crash in zt.c. [RT #37573]
* Several bugs have been fixed in the RPZ implementation:
+ Policy zones that did not specifically require recursion could be treated
as if they did; consequently, setting qname-wait-recurse no; was
sometimes ineffective. This has been corrected. In most configurations,
behavioral changes due to this fix will not be noticeable. [RT #39229]
+ The server could crash if policy zones were updated (e.g. via
rndc reload or an incoming zone transfer) while RPZ processing
was still ongoing for an active query. [RT #39415]
+ On servers with one or more policy zones configured as slaves, if a
policy zone updated during regular operation (rather than at startup)
using a full zone reload, such as via AXFR, a bug could allow the RPZ
summary data to fall out of sync, potentially leading to an assertion
failure in rpz.c when further incremental updates were made to the zone,
such as via IXFR. [RT #39567]
+ The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an unexpected
action could be taken. This has been corrected. [RT #39481]
+ The server could crash if a reload of an RPZ zone was initiated while</comment>
<requestid>319467</requestid>
</revision>
<revision rev="109" vrev="12">
<srcmd5>53058ac7f1a8d2d41d1cbb54fc38dbb6</srcmd5>
<version>unknown</version>
<time>1443694872</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>333033</requestid>
</revision>
<revision rev="110" vrev="13">
<srcmd5>d5b7a1f98834afde27766ecae09fc8d4</srcmd5>
<version>unknown</version>
<time>1445511387</time>
<user>dimstar_suse</user>
<comment>- Avoid double %setup, it confuses some versions of quilt.
- Summary/description update (forwarded request 336332 from jengelh)</comment>
<requestid>336452</requestid>
</revision>
<revision rev="111" vrev="14">
<srcmd5>1286dfd06c336e57ac7ee85ccfb5f631</srcmd5>
<version>unknown</version>
<time>1450861019</time>
<user>dimstar_suse</user>
<comment>- Update to version 9.10.3-P2 to fix a remote denial of service by
misparsing incoming responses (CVE-2015-8000, bsc#958861).</comment>
<requestid>350227</requestid>
</revision>
<revision rev="112" vrev="15">
<srcmd5>7a726496d912ec28edd53bb24cae2fad</srcmd5>
<version>unknown</version>
<time>1453997991</time>
<user>dimstar_suse</user>
<comment>- Security update 9.10.3-P3:
* Specific APL data could trigger an INSIST (CVE-2015-8704,
bsc#962189).
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could
be mishandled, resulting in an assertion failure
(CVE-2015-8705, bsc#962190).
* Authoritative servers that were marked as bogus (e.g.
blackholed in configuration or with invalid addresses) were
being queried anyway.</comment>
<requestid>354931</requestid>
</revision>
<revision rev="113" vrev="16">
<srcmd5>fba6c9b23236dc4ca7706b3be3035502</srcmd5>
<version>unknown</version>
<time>1456821533</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>361595</requestid>
</revision>
<revision rev="114" vrev="17">
<srcmd5>571f440f7c2acc7ed2a0c386c1a079b0</srcmd5>
<version>unknown</version>
<time>1458333209</time>
<user>dimstar_suse</user>
<comment>- Security update 9.10.3-P3:
* CVE-2016-1285, bsc#970072: assert failure on input parsing can
cause premature exit.
* CVE-2016-1286, bsc#970073: An error when parsing signature
records for DNAME can lead to named exiting due to an assertion
failure.
* CVE-2016-2088, bsc#970074: a deliberately misconstructed packet
containing multiple cookie options to cause named to terminate
with an assertion failure.</comment>
<requestid>370068</requestid>
</revision>
<revision rev="115" vrev="18">
<srcmd5>6d0a06cbd5b5ca24925cdc2d9a1bf4a1</srcmd5>
<version>unknown</version>
<time>1462051491</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>390129</requestid>
</revision>
<revision rev="116" vrev="19">
<srcmd5>e70ddebf3d3fb8da535f7ce0490783b4</srcmd5>
<version>unknown</version>
<time>1467359703</time>
<user>dimstar_suse</user>
<comment>Automatic submission by obs-autosubmit</comment>
<requestid>404235</requestid>
</revision>
<revision rev="117" vrev="20">
<srcmd5>65f6460bbf8e820df906b15f48bed5ba</srcmd5>
<version>unknown</version>
<time>1475023095</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>430623</requestid>
</revision>
<revision rev="118" vrev="21">
<srcmd5>9fbfe25ea84f8687267f43c50fe7a67d</srcmd5>
<version>unknown</version>
<time>1478167877</time>
<user>dimstar_suse</user>
<comment>Apply cve-2016-8864.patch to fix CVE-2016-8864 (bsc#1007829). (forwarded request 438189 from psimons)</comment>
<requestid>438333</requestid>
</revision>
<revision rev="119" vrev="22">
<srcmd5>a11ddd5b611d2791f888f48fe9ff98be</srcmd5>
<version>unknown</version>
<time>1485380328</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>452040</requestid>
</revision>
<revision rev="120" vrev="23">
<srcmd5>1a87cacee83c63eeb30d3c55141a213f</srcmd5>
<version>unknown</version>
<time>1487384100</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>457428</requestid>
</revision>
<revision rev="121" vrev="24">
<srcmd5>6bd0d5a239350474428974a83bd59787</srcmd5>
<version>unknown</version>
<time>1487980136</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>459475</requestid>
</revision>
<revision rev="122" vrev="25">
<srcmd5>15fcfca24fc801d1d095ae2c64a1bd9e</srcmd5>
<version>unknown</version>
<time>1490965495</time>
<user>maxlin_factory</user>
<comment>1</comment>
<requestid>482314</requestid>
</revision>
<revision rev="123" vrev="26">
<srcmd5>d933d7ded5107fa2145a25ef8b2f1eb3</srcmd5>
<version>unknown</version>
<time>1495295749</time>
<user>dimstar_suse</user>
<comment>a- Fix named init script to dynamically find the location of the
openssl engines (boo#1040027). (forwarded request 496935 from dimstar)</comment>
<requestid>496968</requestid>
</revision>
<revision rev="124" vrev="27">
<srcmd5>67d606b94542fb49b8ee797af22ac251</srcmd5>
<version>unknown</version>
<time>1499152121</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>507946</requestid>
</revision>
<revision rev="125" vrev="28">
<srcmd5>62a614b4a54644a2820bd6e8416246db</srcmd5>
<version>unknown</version>
<time>1501406518</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>510389</requestid>
</revision>
<revision rev="126" vrev="29">
<srcmd5>6342b53e026df5701ddb84b89ec9a5eb</srcmd5>
<version>unknown</version>
<time>1504981428</time>
<user>dimstar_suse</user>
<comment>- Enable JSON statistics</comment>
<requestid>521995</requestid>
</revision>
<revision rev="127" vrev="30">
<srcmd5>bf7b63bbd35f1e251441d5f9d5584fa7</srcmd5>
<version>unknown</version>
<time>1505502547</time>
<user>dimstar_suse</user>
<comment>1</comment>
<requestid>525963</requestid>
</revision>
<revision rev="128" vrev="31">
<srcmd5>f0219b08850c9417a45181f4b8a25a84</srcmd5>
<version>unknown</version>
<time>1511426081</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>544110</requestid>
</revision>
<revision rev="129" vrev="32">
<srcmd5>963483450ac709200b628b6147db2f32</srcmd5>
<version>9.11.2</version>
<time>1515875766</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>554965</requestid>
</revision>
<revision rev="130" vrev="33">
<srcmd5>06738aa60e15429a4c4c928afc34e55d</srcmd5>
<version>9.11.2</version>
<time>1516970271</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>568772</requestid>
</revision>
<revision rev="131" vrev="34">
<srcmd5>a325effd687b354ceb941161b25f9f4a</srcmd5>
<version>9.11.2</version>
<time>1518281540</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>574246</requestid>
</revision>
<revision rev="132" vrev="35">
<srcmd5>faee7defcdc75ae52b12fc8801cba8a3</srcmd5>
<version>9.11.2</version>
<time>1518950363</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>577263</requestid>
</revision>
<revision rev="133" vrev="36">
<srcmd5>f31c56fc536d3b4c49ab66e2fe1bf78a</srcmd5>
<version>9.11.2</version>
<time>1519902079</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>580553</requestid>
</revision>
<revision rev="134" vrev="37">
<srcmd5>bfeb8cb7f0baa2980df6daeec1b8c334</srcmd5>
<version>9.11.2</version>
<time>1524144759</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>598053</requestid>
</revision>
<revision rev="135" vrev="38">
<srcmd5>2c1f3d6f03a5b3d03073d378c44db007</srcmd5>
<version>9.11.2</version>
<time>1527084489</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>611520</requestid>
</revision>
<revision rev="136" vrev="39">
<srcmd5>cdf1c1b385d2f38c490eab8855c92bce</srcmd5>
<version>9.11.2</version>
<time>1529065906</time>
<user>maxlin_factory</user>
<comment></comment>
<requestid>614834</requestid>
</revision>
<revision rev="137" vrev="40">
<srcmd5>1921156831a62baeea7636230b27bbae</srcmd5>
<version>9.11.2</version>
<time>1530741015</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>619226</requestid>
</revision>
<revision rev="138" vrev="41">
<srcmd5>827d35147f24a8f90ec6e4a05bdd5745</srcmd5>
<version>9.11.2</version>
<time>1532774224</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>623945</requestid>
</revision>
<revision rev="139" vrev="42">
<srcmd5>efc4f24dcca51c9246408da4729fc04d</srcmd5>
<version>9.11.2</version>
<time>1538502246</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>637886</requestid>
</revision>
<revision rev="140" vrev="43">
<srcmd5>4058f704fee02894f171df6030001197</srcmd5>
<version>9.11.2</version>
<time>1545222233</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>656817</requestid>
</revision>
<revision rev="141" vrev="44">
<srcmd5>1c5684c8571c0abef50537bf622f8f70</srcmd5>
<version>9.11.2</version>
<time>1555588624</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>694780</requestid>
</revision>
<revision rev="142" vrev="45">
<srcmd5>1c20ca6bacd0fba8df44c6d2e8d209cb</srcmd5>
<version>9.11.2</version>
<time>1564413784</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>717460</requestid>
</revision>
<revision rev="143" vrev="1">
<srcmd5>2d3fc0d6177d77191d151b5aa3d748af</srcmd5>
<version>9.14.8</version>
<time>1574677402</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>750233</requestid>
</revision>
<revision rev="144" vrev="1">
<srcmd5>3f182b9e7c5fa3c1b1c22257ea1d4b8b</srcmd5>
<version>9.14.9</version>
<time>1578749859</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>761906</requestid>
</revision>
<revision rev="145" vrev="1">
<srcmd5>9c5f0784d740407c5083ec7bcae7bde6</srcmd5>
<version>9.16.0</version>
<time>1582725692</time>
<user>dimstar_suse</user>
<comment>- Update download urls
- Do not enable geoip on old distros, the geoip db was shut down
so we need to use geoip2 everywhere
- Upgrade to version 9.16.0
Major upgrade, see
https://downloads.isc.org/isc/bind9/9.16.0/RELEASE-NOTES-bind-9.16.0.html
and
CHANGES file in the source tree.
Major functional change:
* What was set with --with-tuning=large option in older BIND9
versions is now a default, and a --with-tuning=small option was
added for small (e.g. OpenWRT) systems.
* A new "dnssec-policy" option has been added to named.conf to
implement a key and signing policy (KASP) for zones.
* The command (and manpage) bind9-config have been dropped as the
BIND 9 libraries are now purely internal.
No patches became obsolete through the upgrade.
[bind-9.16.0.tar.xz]</comment>
<requestid>778175</requestid>
</revision>
<revision rev="146" vrev="1">
<srcmd5>2129668c33083bbb9b5bf63ddc8fb516</srcmd5>
<version>9.16.1</version>
<time>1584964176</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>787354</requestid>
</revision>
<revision rev="147" vrev="2">
<srcmd5>c50e6aa20c8341e7210fd25d7dc9a3fd</srcmd5>
<version>9.16.1</version>
<time>1585342586</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>788923</requestid>
</revision>
<revision rev="148" vrev="3">
<srcmd5>1223d9b1fa886538722ace6eeba07a03</srcmd5>
<version>9.16.1</version>
<time>1587070835</time>
<user>dimstar_suse</user>
<comment>Added all bugs, fates, and CVEs that were fixed for SLE12 and SLE15 to the entry for the update to 9.14.7 to have a common base for factory, SLE12 and SLE15</comment>
<requestid>794462</requestid>
</revision>
<revision rev="149" vrev="4">
<srcmd5>f95bd097569c1d9da7f8ff949e0ac1e2</srcmd5>
<version>9.16.1</version>
<time>1587581032</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>795499</requestid>
</revision>
<revision rev="150" vrev="5">
<srcmd5>f4224663acec535854689e4c3e2bfdd0</srcmd5>
<version>9.16.1</version>
<time>1589315231</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>802618</requestid>
</revision>
<revision rev="151" vrev="1">
<srcmd5>2e3ccc6960748af5db670284caac79c0</srcmd5>
<version>9.16.3</version>
<time>1590506039</time>
<user>maxlin_factory</user>
<comment></comment>
<requestid>807723</requestid>
</revision>
<revision rev="152" vrev="1">
<srcmd5>85b302fa4a4ef64ca8ba5efd16103df7</srcmd5>
<version>9.16.4</version>
<time>1593006461</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>815879</requestid>
</revision>
<revision rev="153" vrev="1">
<srcmd5>71427664c6127408860285bc279780f6</srcmd5>
<version>9.16.5</version>
<time>1595773043</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>822229</requestid>
</revision>
<revision rev="154" vrev="2">
<srcmd5>123723701fd71156772b669147ba62a2</srcmd5>
<version>9.16.5</version>
<time>1597955009</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>827215</requestid>
</revision>
<revision rev="155" vrev="1">
<srcmd5>9f888b11282650f0b909c8523dcfc124</srcmd5>
<version>9.16.6</version>
<time>1598886890</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>830242</requestid>
</revision>
<revision rev="156" vrev="2">
<srcmd5>0385a0526ed237d746e83cf9c1da3cbe</srcmd5>
<version>9.16.6</version>
<time>1598946582</time>
<user>dimstar_suse</user>
<comment>Require sysvinit-tools only when using systemd</comment>
</revision>
<revision rev="157" vrev="3">
<srcmd5>9552a8f9e0859d2f3432f76f3f5e01d5</srcmd5>
<version>9.16.6</version>
<time>1600956803</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>835837</requestid>
</revision>
<revision rev="158" vrev="1">
<srcmd5>67821337687430823e219d12096c93d1</srcmd5>
<version>9.16.7</version>
<time>1603545383</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>843228</requestid>
</revision>
<revision rev="159" vrev="1">
<srcmd5>458c5e59d5e4cede8dd442230af2ae09</srcmd5>
<version>9.16.8</version>
<time>1607430233</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>853298</requestid>
</revision>
<revision rev="160" vrev="1">
<srcmd5>fe87e88a6638bb1dc6d01961f5a5ae04</srcmd5>
<version>9.16.10</version>
<time>1610123651</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>861029</requestid>
</revision>
<revision rev="161" vrev="1">
<srcmd5>735aba5248b0a4a8d20a56482ea57834</srcmd5>
<version>9.16.11</version>
<time>1612011334</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>866745</requestid>
</revision>
<revision rev="162" vrev="1">
<srcmd5>426e1ad8e2ae49d11d873ee83f596ef2</srcmd5>
<version>9.16.12</version>
<time>1617908506</time>
<user>RBrownSUSE</user>
<comment></comment>
<requestid>880703</requestid>
</revision>
<revision rev="163" vrev="2">
<srcmd5>58404f27d0921d53a24ef141e0c0bd04</srcmd5>
<version>9.16.12</version>
<time>1619973313</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>889528</requestid>
</revision>
<revision rev="164" vrev="1">
<srcmd5>c1318d8c4b253b73acd24cfc63a04aad</srcmd5>
<version>9.16.15</version>
<time>1620653805</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>891837</requestid>
</revision>
<revision rev="165" vrev="2">
<srcmd5>04d35f12257c61c997f0519770c2f0ac</srcmd5>
<version>9.16.15</version>
<time>1621113319</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>892294</requestid>
</revision>
<revision rev="166" vrev="1">
<srcmd5>1fd34f244e8739fb00e804ae19d13baf</srcmd5>
<version>9.16.16</version>
<time>1622536371</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>895166</requestid>
</revision>
<revision rev="167" vrev="1">
<srcmd5>e403fa4f95c02e6e1fd9fa4328c6214f</srcmd5>
<version>9.16.18</version>
<time>1624626063</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>901436</requestid>
</revision>
<revision rev="168" vrev="2">
<srcmd5>c8eb7787bf53fb7baae362ae103094ed</srcmd5>
<version>9.16.18</version>
<time>1625225184</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>902727</requestid>
</revision>
<revision rev="169" vrev="3">
<srcmd5>652738503bfa4d6f86a233ea5eeb0713</srcmd5>
<version>9.16.18</version>
<time>1626986579</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>907489</requestid>
</revision>
<revision rev="170" vrev="1">
<srcmd5>5536f061bed4695e2cf6d6bd81ac7a4e</srcmd5>
<version>9.16.19</version>
<time>1627898699</time>
<user>dimstar_suse</user>
<comment>- Update to 9.16.19
* A race condition could occur where two threads were
competing for the same set of key file locks, leading to
a deadlock. This has been fixed. [GL #2786]
* create_keydata() created an invalid placeholder keydata
record upon a refresh failure, which prevented the
database of managed keys from subsequently being read
back. This has been fixed. [GL #2686]
* KASP support was extended with the "check DS" feature.
Zones with "dnssec-policy" and "parental-agents"
configured now check for DS presence and can perform
automatic KSK rollovers. [GL #1126]
* Rescheduling a setnsec3param() task when a zone failed
to load on startup caused a hang on shutdown. This has
been fixed. [GL #2791]
* The configuration-checking code failed to account for
the inheritance rules of the "dnssec-policy" option.
This has been fixed. [GL #2780]
* If nsupdate sends an SOA request and receives a REFUSED
response, it now fails over to the next available
server. [GL #2758]
* For UDP messages larger than the path MTU, named now
sends an empty response with the TC (TrunCated) bit set.
In addition, setting the DF (Don't Fragment) flag on
outgoing UDP sockets was re-enabled. [GL #2790]
* Views with recursion disabled are now configured with a
default cache size of 2 MB unless "max-cache-size" is
explicitly set. This prevents cache RBT hash tables from
being needlessly preallocated for such views. [GL #2777]
* Change 5644 inadvertently introduced a deadlock: when
locking the key file mutex for each zone structure in a
different view, the "in-view" logic was not considered.
This has been fixed. [GL #2783]
* Increasing "max-cache-size" for a running named instance
(using "rndc reconfig") did not cause the hash tables
used by cache databases to be grown accordingly. This
has been fixed. [GL #2770]
* Signed, insecure delegation responses prepared by named
either lacked the necessary NSEC records or contained
duplicate NSEC records when both wildcard expansion and
CNAME chaining were required to prepare the response.
This has been fixed. [GL #2759]
* A bug that caused the NSEC3 salt to be changed on every
restart for zones using KASP has been fixed. [GL #2725] (forwarded request 909186 from polslinux)</comment>
<requestid>909191</requestid>
</revision>
<revision rev="171" vrev="1">
<srcmd5>1c3eb9829e9a2abb7890bb9867ce3cd6</srcmd5>
<version>9.16.20</version>
<time>1630432503</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>914627</requestid>
</revision>
<revision rev="172" vrev="2">
<srcmd5>2f0f8cbf2c8a01f68bf8820fe82c9e62</srcmd5>
<version>9.16.20</version>
<time>1634943025</time>
<user>dimstar_suse</user>
<comment> (forwarded request 926001 from jmoellers)</comment>
<requestid>926547</requestid>
</revision>
<revision rev="173" vrev="3">
<srcmd5>5f08a87ab9f257ab3264ab7e5e530fd2</srcmd5>
<version>9.16.20</version>
<time>1638388004</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>934423</requestid>
</revision>
<revision rev="174" vrev="1">
<srcmd5>67d2a01944432929826d53ef8f4c3e15</srcmd5>
<version>9.16.23</version>
<time>1638831553</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>935520</requestid>
</revision>
<revision rev="175" vrev="1">
<srcmd5>aeb8edbdca131b7d6e5deab7584a25c6</srcmd5>
<version>9.16.24</version>
<time>1640690769</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>942722</requestid>
</revision>
<revision rev="176" vrev="1">
<srcmd5>01fc1f608affff5194c518aec1b2515a</srcmd5>
<version>9.16.25</version>
<time>1642936532</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>947977</requestid>
</revision>
<revision rev="177" vrev="2">
<srcmd5>53528e29f045ab5a7e60105308c3d391</srcmd5>
<version>9.16.25</version>
<time>1643228796</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>948355</requestid>
</revision>
<revision rev="178" vrev="1">
<srcmd5>181ba281d00e2c50cb758fbad61fd332</srcmd5>
<version>9.18.2</version>
<time>1652801021</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>977470</requestid>
</revision>
<revision rev="179" vrev="1">
<srcmd5>b1116b2da8d6ad07eeb32400ff08143c</srcmd5>
<version>9.18.3</version>
<time>1654506592</time>
<user>dimstar_suse</user>
<comment>- Upgrade to 9.18.3:
Bugs fixed:
* Fix a crash in DNS-over-HTTPS (DoH) code caused by premature
TLS stream socket object deletion.
* RPZ NSIP and NSDNAME rule processing didn't handle stub and
static-stub zones at or above the query name. This has now
been addressed.
* Fixed a deadlock that could occur if an rndc connection arrived
during the shutdown of network interfaces.
* Refactor the fctx_done() function to set fctx to NULL after
detaching, so that reference counting errors will be easier to
avoid.
* udp_recv() in dispatch could trigger an INSIST when the
callback's result indicated success but the response was
canceled in the meantime.
* Work around a jemalloc quirk which could trigger an
out-of-memory condition in named over time.
* If there was a pending negative cache DS entry, validations
depending upon it could fail.
* dig returned a 0 exit status on UDP connection failure.
* Fix an assertion failure when using dig with +nssearch and
+tcp options by starting the next query in the send_done()
callback (like in the UDP mode) instead of doing that
recursively in start_tcp(). Also ensure that queries
interrupted while connecting are detached properly.
* Don't remove CDS/CDNSKEY DELETE records on zone sign when
using 'auto-dnssec maintain;'.
This obsoletes the following patch:
bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
[CVE-2022-1183, bsc#1199619]</comment>
<requestid>980817</requestid>
</revision>
<revision rev="180" vrev="1">
<srcmd5>7ba9f7946927587381d21d970d0ab03d</srcmd5>
<version>9.18.4</version>
<time>1655665845</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>983574</requestid>
</revision>
<revision rev="181" vrev="1">
<srcmd5>4b77341d3d5f81ad823f913633e5c36c</srcmd5>
<version>9.18.5</version>
<time>1658857374</time>
<user>RBrownFactory</user>
<comment></comment>
<requestid>990523</requestid>
</revision>
<revision rev="182" vrev="2">
<srcmd5>3d84022dc110b300deddf080dcff5ea6</srcmd5>
<version>9.18.5</version>
<time>1659612162</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>992020</requestid>
</revision>
<revision rev="183" vrev="3">
<srcmd5>0612765d98160481a1f4a57ae3b6f59c</srcmd5>
<version>9.18.5</version>
<time>1659721821</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>993089</requestid>
</revision>
<revision rev="184" vrev="1">
<srcmd5>0e8b472f4cadec0c0788135dba2ecb0f</srcmd5>
<version>9.18.6</version>
<time>1661020066</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>998091</requestid>
</revision>
<revision rev="185" vrev="1">
<srcmd5>f5fe3ff4dc1bc79f84056a21f592b8e9</srcmd5>
<version>9.18.7</version>
<time>1663850976</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>1005207</requestid>
</revision>
<revision rev="186" vrev="2">
<srcmd5>1f69c597945823a9d9e9424b46220120</srcmd5>
<version>9.18.7</version>
<time>1665420209</time>
<user>favogt_factory</user>
<comment></comment>
<requestid>1008629</requestid>
</revision>
<revision rev="187" vrev="1">
<srcmd5>fa68ab414b1ba2e66c0e0b58af7e0ae4</srcmd5>
<version>9.18.8</version>
<time>1667901221</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>1034322</requestid>
</revision>
<revision rev="188" vrev="1">
<srcmd5>969d03733fa1edaa44bd088822b97b0b</srcmd5>
<version>9.18.9</version>
<time>1669129794</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>1037146</requestid>
</revision>
<revision rev="189" vrev="1">
<srcmd5>060b144cd76f9c87ba950d6d703f59d0</srcmd5>
<version>9.18.10</version>
<time>1671889861</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.10
Feature Changes:
* To reduce unnecessary memory consumption in the cache, NXDOMAIN
records are no longer retained past the normal negative cache
TTL, even if stale-cache-enable is set to yes.
* The auto-dnssec option has been deprecated and will be removed
in a future BIND 9.19.x release. Please migrate to
dnssec-policy.
* The coresize, datasize, files, and stacksize options have been
deprecated. The limits these options set should be enforced
externally, either by manual configuration (e.g. using ulimit)
or via the process supervisor (e.g. systemd).
* Setting alternate local addresses for inbound zone transfers
has been deprecated. The relevant options (alt-transfer-source,
alt-transfer-source-v6, and use-alt-transfer-source) will be
removed in a future BIND 9.19.x release.
* The number of HTTP headers allowed in requests sent to named’s
statistics channel has been increased from 10 to 100, to
accommodate some browsers that send more than 10 headers by
default.
Bug Fixes:
* named could crash due to an assertion failure when an HTTP
connection to the statistics channel was closed prematurely
(due to a connection error, shutdown, etc.).
* When a catalog zone was removed from the configuration, in some
cases a dangling pointer could cause the named process to
crash.
* When a zone was deleted from a server, a key management object
related to that zone was inadvertently kept in memory and only
released upon shutdown. This could lead to constantly
increasing memory use on servers with a high rate of changes
affecting the set of zones being served.
* TLS configuration for primary servers was not applied for zones
that were members of a catalog zone.
* In certain cases, named waited for the resolution of
outstanding recursive queries to finish before shutting down.
* host and nslookup command-line options setting the custom
TCP/UDP port to use were ignored for ANY queries (which are
sent over TCP).
* The zone <name>/<class>: final reference detached log message
was moved from the INFO log level to the DEBUG(1) log level to
prevent the named-checkzone tool from superfluously logging
this message in non-debug mode.
</comment>
<requestid>1044276</requestid>
</revision>
<revision rev="190" vrev="2">
<srcmd5>bfe0a04bf75f395de4d7ea14bc2a31c8</srcmd5>
<version>9.18.10</version>
<time>1673021104</time>
<user>dimstar_suse</user>
<comment></comment>
<requestid>1056198</requestid>
</revision>
<revision rev="191" vrev="1">
<srcmd5>ce44b919f55cb3a5e109225262d4ea63</srcmd5>
<version>9.18.11</version>
<time>1674737826</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.11
Security Fixes:
* An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a new
update-quota option that controls the maximum number of
outstanding DNS UPDATE messages that named can hold in a queue
at any given time (default: 100). (CVE-2022-3094)
* named could crash with an assertion failure when an RRSIG query
was received and stale-answer-client-timeout was set to a
non-zero value. This has been fixed. (CVE-2022-3736)
* named running as a resolver with the
stale-answer-client-timeout option set to any value greater
than 0 could crash with an assertion failure, when the
recursive-clients soft quota was reached. This has been fixed.
(CVE-2022-3924)
New Features:
* The new update-quota option can be used to control the number
of simultaneous DNS UPDATE messages that can be processed to
update an authoritative zone on a primary server, or forwarded
to the primary server by a secondary server. The default is
100. A new statistics counter has also been added to record
events when this quota is exceeded, and the version numbers for
the XML and JSON statistics schemas have been updated.
Removed Features:
* The Differentiated Services Code Point (DSCP) feature in BIND
has been non-operational since the new Network Manager was
introduced in BIND 9.16. It is now marked as obsolete, and
vestigial code implementing it has been removed. Configuring
DSCP values in named.conf now causes a warning to be logged.
Feature Changes:
* The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones.
Bug Fixes:
* A rare assertion failure was fixed in outgoing TCP DNS
connection handling.
* Large zone transfers over TLS (XoT) could fail. This has been
fixed.
* In addition to a previously fixed bug, another similar issue
was discovered where quotas could be erroneously reached for
servers, including any configured forwarders, resulting in
SERVFAIL answers being sent to clients. This has been fixed.
* In certain query resolution scenarios (e.g. when following
CNAME records), named configured to answer from stale cache
could return a SERVFAIL response despite a usable, non-stale
answer being present in the cache. This has been fixed.
* When an outgoing request timed out, named would retry up to
three times with the same server instead of trying the next
available name server. This has been fixed.
* Recently used ADB names and ADB entries (IP addresses) could
get cleaned when ADB was under memory pressure. To mitigate
this, only actual ADB names and ADB entries are now counted
(excluding internal memory structures used for “housekeeping”)
and recently used (<= 10 seconds) ADB names and entries are
excluded from the overmem memory cleaner.
* The “Prohibited” Extended DNS Error was inadvertently set in
some NOERROR responses. This has been fixed.
* Previously, TLS session resumption could have led to handshake
failures when client certificates were used for authentication
(Mutual TLS). This has been fixed.
[bsc#1207471, bsc#1207473, bsc#1207475]
</comment>
<requestid>1060984</requestid>
</revision>
<revision rev="192" vrev="1">
<srcmd5>2fa9bb4cd6c41e09db38bf0a464bf884</srcmd5>
<version>9.18.12</version>
<time>1676648641</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.12
Removed Features:
* Specifying a port when configuring source addresses (i.e., as
an argument to query-source, query-source-v6, transfer-source,
transfer-source-v6, notify-source, notify-source-v6,
parental-source, or parental-source-v6, or in the source or
source-v6 arguments to primaries, parental-agents, also-notify,
or catalog-zones) has been deprecated. In addition, the
use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and
avoid-v6-udp-ports options have also been deprecated.
Warnings are now logged when any of these options are
encountered in named.conf. In a future release, they will be
made nonfunctional.
Bug Fixes:
* A constant stream of zone additions and deletions via rndc
reconfig could cause increased memory consumption due to
delayed cleaning of view memory. This has been fixed.
* The speed of the message digest algorithms (MD5, SHA-1, SHA-2),
and of NSEC3 hashing, has been improved.
* Pointing parental-agents to a resolver did not work because the
RD bit was not set on DS requests. This has been fixed.
* Building BIND 9 failed when the --enable-dnsrps switch for
./configure was used. This has been fixed.
- Updated keyring and signature
</comment>
<requestid>1066214</requestid>
</revision>
<revision rev="193" vrev="1">
<srcmd5>d7c98e8b3d84c03d1c9a4e793f4af542</srcmd5>
<version>9.18.13</version>
<time>1679068946</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.13
New Features:
* RPZ updates are now run on specialized “offload” threads to
reduce the amount of time they block query processing on the
main networking threads. This increases the responsiveness of
named when RPZ updates are being applied after an RPZ zone has
been successfully transferred.
Feature Changes:
* Catalog zone updates are now run on specialized “offload”
threads to reduce the amount of time they block query
processing on the main networking threads. This increases the
responsiveness of named when catalog zone updates are being
applied after a catalog zone has been successfully transferred.
* libuv support for receiving multiple UDP messages in a single
recvmmsg() system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for
running with a different version of libuv than the one used at
compilation time. These rules may trigger a fatal error at
startup:
- Building against or running with libuv versions 1.35.0 and
1.36.0 is now a fatal error.
- Running with libuv version higher than 1.34.2 is now a
fatal error when named is built against libuv version
1.34.2 or lower.
- Running with libuv version higher than 1.39.0 is now a
fatal error when named is built against libuv version
1.37.0, 1.38.0, 1.38.1, or 1.39.0.
* This prevents the use of libuv versions that may trigger an
assertion failure when receiving multiple UDP messages in a
single system call.
Bug Fixes:
* named could crash with an assertion failure when adding a new
zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been
fixed.
* When named starts up, it sends a query for the DNSSEC key for
each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a
zone for which the server is itself authoritative, and would
have failed if it were sent before the zone was fully loaded.
This has now been fixed by delaying the key queries until all
zones have finished loading.
</comment>
<requestid>1072172</requestid>
</revision>
<revision rev="194" vrev="1">
<srcmd5>938345651ff025f7c8ead983520b0c48</srcmd5>
<version>9.18.14</version>
<time>1682193547</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.14
Removed Features:
* Zone type delegation-only, and the delegation-only and
root-delegation-only statements, have been deprecated. A
warning is now logged when they are used.
* These statements were created to address the SiteFinder
controversy, in which certain top-level domains redirected
misspelled queries to other sites instead of returning NXDOMAIN
responses. Since top-level domains are now DNSSEC-signed, and
DNSSEC validation is active by default, the statements are no
longer needed.
Bug Fixes:
* Several bugs which could cause named to crash during catalog
zone processing have been fixed.
* Previously, downloading large zones over TLS (XoT) from a
primary could hang the transfer on the secondary, especially
when the connection was unstable. This has been fixed.
* Performance of DNSSEC validation in zones with many DNSKEY
records has been improved.
</comment>
<requestid>1081793</requestid>
</revision>
<revision rev="195" vrev="1">
<srcmd5>745bbc691523aac0d006f585c7ca134f</srcmd5>
<version>9.18.15</version>
<time>1684415898</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.15
Bug Fixes:
* The max-transfer-time-in and max-transfer-idle-in statements
have not had any effect since the BIND 9 networking stack was
refactored in version 9.16. The missing functionality has been
re-implemented and incoming zone transfers now time out
properly when not progressing.
* The read timeout in rndc is now 60 seconds, matching the
behavior in BIND 9.16 and earlier. It had previously been
lowered to 30 seconds by mistake.
* When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT)
error code is returned by libuv, it is now treated as a network
failure: the server for which that error code is returned gets
marked as broken and is not contacted again during a given
resolution process.
* When removing delegations from an opt-out range,
empty-non-terminal NSEC3 records generated by those delegations
were not cleaned up. This has been fixed.
* Log file rotation code did not clean up older versions of log
files when the logging channel had an absolute path configured
as a file destination. This has been fixed.
Known Issues:
* Sending NOTIFY messages silently fails when the source port
specified in the notify-source statement is already in use.
This can happen e.g. when multiple servers are configured as
NOTIFY targets for a zone and some of them are unresponsive.
This issue can be worked around by not specifying the source
port for NOTIFY messages in the notify-source statement; note
that source port configuration is already deprecated and will
be removed altogether in a future release.
</comment>
<requestid>1087546</requestid>
</revision>
<revision rev="196" vrev="1">
<srcmd5>42380988621ca1c46743e6ce5bcf07e7</srcmd5>
<version>9.18.16</version>
<time>1687549913</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.16
Security Fixes:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit. (CVE-2023-2828)
* A query that prioritizes stale data over lookup triggers a
fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed. (CVE-2023-2911)
New Features:
* The system test suite can now be executed with pytest (along
with pytest-xdist for parallel execution).
Removed Features:
* TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now
deprecated, and will be removed in a future release. A warning
will be logged when the tkey-dhkey option is used in
named.conf.
Bug Fixes:
* BIND could get stuck on reconfiguration when a listen-on
statement for HTTP is removed from the configuration. That has
been fixed.
* Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed.
* BIND could allocate too big buffers when sending data via
stream-based DNS transports, leading to increased memory usage.
This has been fixed.
* When the stale-answer-enable option was enabled and the
stale-answer-client-timeout option was enabled and larger than
0, named previously allocated two slots from the
clients-per-query limit for each client and failed to gradually
auto-tune its value, as configured. This has been fixed.
</comment>
<requestid>1094609</requestid>
</revision>
<revision rev="197" vrev="2">
<srcmd5>44a9d8e1f5d9cfd40726c072da3ade27</srcmd5>
<version>9.18.16</version>
<time>1688737554</time>
<user>favogt_factory</user>
<comment>- rebuild bind-utils on libuv updates (bsc#1212090)</comment>
<requestid>1097046</requestid>
</revision>
<revision rev="198" vrev="3">
<srcmd5>27c03e1a07f94740627e6277577e8927</srcmd5>
<version>9.18.16</version>
<time>1689455693</time>
<user>dimstar_suse</user>
<comment>- Enable dnstap support
</comment>
<requestid>1098555</requestid>
</revision>
<revision rev="199" vrev="1">
<srcmd5>9d32e322fed09808b0dc176ba1ddc39c</srcmd5>
<version>9.18.17</version>
<time>1690215154</time>
<user>anag+factory</user>
<comment>- Update to release 9.18.17
Feature Changes:
* If a response from an authoritative server has its RCODE set to
FORMERR and contains an echoed EDNS COOKIE option that was
present in the query, named now retries sending the query to
the same server without an EDNS COOKIE option.
* The relaxed QNAME minimization mode now uses NS records. This
reduces the number of queries named makes when resolving, as it
allows the non-existence of NS RRsets at non-referral nodes to
be cached in addition to the normally cached referrals.
Bug Fixes:
* The ability to read HMAC-MD5 key files, which was accidentally
lost in BIND 9.18.8, has been restored.
* Several minor stability issues with the catalog zone
implementation have been fixed.
</comment>
<requestid>1099502</requestid>
</revision>
<revision rev="200" vrev="1">
<srcmd5>bd4f8461097b4efb7edc4196b642a348</srcmd5>
<version>9.18.18</version>
<time>1692294171</time>
<user>anag+factory</user>
<comment>- Update to release 9.18.18</comment>
<requestid>1104195</requestid>
</revision>
<revision rev="201" vrev="2">
<srcmd5>b7d2242d7a3ae3652fceb1e921c5a7a7</srcmd5>
<version>9.18.18</version>
<time>1694545328</time>
<user>anag+factory</user>
<comment>- Enable crypto-policies support: [bsc#1211301]
* Rebase vendor-files/config/named.conf
</comment>
<requestid>1110323</requestid>
</revision>
<revision rev="202" vrev="1">
<srcmd5>b5fc8d3eaa7f71fd82089e9df5d26e09</srcmd5>
<version>9.18.19</version>
<time>1695412030</time>
<user>anag+factory</user>
<comment>- Update to release 9.18.19
Security Fixes:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed. (CVE-2023-3341)
[bsc#1215472]
* A flaw in the networking code handling DNS-over-TLS queries
could cause named to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has
been fixed. (CVE-2023-4236)
[bsc#1215471]
Removed Features:
* The dnssec-must-be-secure option has been deprecated and will
be removed in a future release.
Feature Changes:
* If the server command is specified, nsupdate now honors the
nsupdate -v option for SOA queries by sending both the UPDATE
request and the initial query over TCP.
Bug Fixes:
* The value of the If-Modified-Since header in the statistics
channel was not being correctly validated for its length,
potentially allowing an authorized user to trigger a buffer
overflow. Ensuring the statistics channel is configured
correctly to grant access exclusively to authorized users is
essential (see the statistics-channels block definition and
usage section).
* The Content-Length header in the statistics channel was lacking
proper bounds checking. A negative or excessively large value
could potentially trigger an integer overflow and result in an
assertion failure.
* Several memory leaks caused by not clearing the OpenSSL error
stack were fixed.
* The introduction of krb5-subdomain-self-rhs and
ms-subdomain-self-rhs UPDATE policies accidentally caused named
to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed.
* The stale-refresh-time feature was mistakenly disabled when the
server cache was flushed by rndc flush. This has been fixed.
* BIND’s memory consumption has been improved by implementing
dedicated jemalloc memory arenas for sending buffers. This
optimization ensures that memory usage is more efficient and
better manages the return of memory pages to the operating
system.
* Previously, partial writes in the TLS DNS code were not
accounted for correctly, which could have led to DNS message
corruption. This has been fixed.
</comment>
<requestid>1112571</requestid>
</revision>
<revision rev="203" vrev="1">
<srcmd5>354e0e0458cc8a3bb96f157817ea3c33</srcmd5>
<version>9.18.20</version>
<time>1700250545</time>
<user>anag+factory</user>
<comment>- Update to release 9.18.20
Feature Changes:
* The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b.
Bug Fixes:
* If the unsigned version of an inline-signed zone contained
DNSSEC records, it was incorrectly scheduled for resigning.
This has been fixed.
* Looking up stale data from the cache did not take local
authoritative data into account. This has been fixed.
* An assertion failure was triggered when lock-file was used at
the same time as the named -X command-line option. This has
been fixed.
* The lock-file file was being removed when it should not have
been, making the statement ineffective when named was started
three or more times. This has been fixed.
- Disable SLP by default for Factory and ALP (bsc#1214884)
</comment>
<requestid>1126943</requestid>
</revision>
<revision rev="204" vrev="1">
<srcmd5>cf0c405eb745ccedb7754658c43fc50d</srcmd5>
<version>9.18.21</version>
<time>1704487199</time>
<user>dimstar_suse</user>
<comment>- Update to release 9.18.21
Removed Features:
* Support for using AES as the DNS COOKIE algorithm
(cookie-algorithm aes;) has been deprecated and will be removed
in a future release. Please use the current default,
SipHash-2-4, instead.
* The resolver-nonbackoff-tries and resolver-retry-interval
statements have been deprecated. Using them now causes a
warning to be logged.
</comment>
<requestid>1136815</requestid>
</revision>
<revision rev="205" vrev="1">
<srcmd5>896d2467767030bf5bddfbdd3956a89b</srcmd5>
<version>9.18.24</version>
<time>1708027126</time>
<user>anag+factory</user>
<comment>- Update to release 9.18.24
Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851]
* Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been
fixed. (CVE-2023-5517)
[bsc#1219852]
* A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these
features were enabled. This has been fixed. (CVE-2023-5679)
[bsc#1219853]
* Query patterns that continuously triggered cache database
maintenance could cause an excessive amount of memory to be
allocated, exceeding max-cache-size and potentially leading to
all available memory on the host running named being exhausted
This has been fixed. (CVE-2023-6516)
[bsc#1219854]
* Under certain circumstances, the DNS-over-TLS client code
incorrectly attempted to process more than one DNS message at a
time, which could cause named to crash with an assertion
failure. This has been fixed.
Bug Fixes:
* The counters exported via the statistics channel were changed
back to 64-bit signed values; they were being inadvertently
truncated to unsigned 32-bit values since BIND 9.15.0.
</comment>
<requestid>1146454</requestid>
</revision>
<revision rev="206" vrev="1">
<srcmd5>2755f02976d09f4c9f77f4c30db5a5d5</srcmd5>
<version>9.18.25</version>
<time>1711036818</time>
<user>anag+factory</user>
<comment>Update to release 9.18.25</comment>
<requestid>1159854</requestid>
</revision>
<revision rev="207" vrev="1">
<srcmd5>5bb53bddd31a712cf63371f7904b1f72</srcmd5>
<version>9.18.26</version>
<time>1713964391</time>
<user>anag+factory</user>
<comment>- Update to release 9.18.26
New Features:
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Bug Fixes:
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed.
</comment>
<requestid>1169576</requestid>
</revision>
</revisionlist>