: Log in!


ウェブ 検索
トップ  >  Linux17歩  >  2017-04-14 bind-9.11.0-P5にupdate
20170414 bind-9.11.0-P5にupdateしました

Release Notes for BIND Version 9.11.0-P5

New DNSSEC Root Key

  ICANN is in the process of introducing a new Key Signing Key (KSK) 
  for the global root zone. BIND has multiple methods for managing 
  DNSSEC trust anchors, with somewhat different behaviors. If the 
  root key is configured using the managed-keys statement, or if the 
  pre-configured root key is enabled by using dnssec-validation auto, 
  then BIND can keep keys up to date automatically. Servers configured 
  in this way will roll seamlessly to the new key when it is published 
  in the root zone.  However, keys configured using the trusted-keys 
  statement are not automatically maintained. If your server is 
  performing DNSSEC validation and is configured using trusted-keys, 
  you are advised to change your configuration before the root zone 
  begins signing with the new KSK. This is currently scheduled for 
  October 11, 2017.

  This release includes an updated version of the bind.keys file
  containing the new root key. This file can also be downloaded from
  https://www.isc.org/bind-keys .

Security Fixes

  * rndc "" could trigger an assertion failure in named. This flaw is
    disclosed in (CVE-2017-3138). [RT #44924]
  * Some chaining (i.e., type CNAME or DNAME) responses to upstream
    queries could trigger assertion failures. This flaw is disclosed 
    in CVE-2017-3137. [RT #44734]
  * dns64 with break-dnssec yes; can result in an assertion failure.
    This flaw is disclosed in CVE-2017-3136. [RT #44653]
  * If a server is configured with a response policy zone (RPZ) that
    rewrites an answer with local data, and is also configured for
    DNS64 address mapping, a NULL pointer can be read triggering a
    server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
  * A coding error in the nxdomain-redirect feature could lead to an
    assertion failure if the redirection namespace was served from a
    local authoritative data source such as a local zone or a DLZ
    instead of via recursive lookup. This flaw is disclosed in
    CVE-2016-9778. [RT #43837]
  * named could mishandle authority sections with missing RRSIGs,
    triggering an assertion failure. This flaw is disclosed in
    CVE-2016-9444. [RT #43632]
  * named mishandled some responses where covering RRSIG records were
    returned without the requested data, resulting in an assertion
    failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
  * named incorrectly tried to cache TKEY records which could trigger
    an assertion failure when there was a class mismatch. This flaw is
    disclosed in CVE-2016-9131. [RT #43522]
  * It was possible to trigger assertions when processing responses
    containing answers of type DNAME. This flaw is disclosed in
    CVE-2016-8864. [RT #43465]

New Features

  * None.

Feature Changes

  * None.

Porting Changes

  * None.

Bug Fixes

  * A synthesized CNAME record appearing in a response before the
    associated DNAME could be cached, when it should not have been.
    This was a regression introduced while addressing CVE-2016-8864.
    [RT #44318]
投票数:30 平均点:6.00
2017-04-12 proftpd-1.3.5eにupdate
2017-04-17 dovecot-にupdate