OBSOLETE Patch-ID# 109326-24
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security libresolv poll() bind 8.2.2 in.named resolver authentication query bind9
Synopsis: Obsoleted by: 109326-25 SunOS 5.8: libresolv.so.2, in.named and BIND9 patch
Date: Mar/09/2009
Install Requirements: See Special Install Instructions
After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 8
SunOS Release: 5.8
Unbundled Product:
Unbundled Release:
Xref: This patch available for x86 as patch 109327
Topic: SunOS 5.8: libresolv.so.2, in.named and BIND9 patch
NOTE: Refer to Special Install Instructions section for
IMPORTANT specific information on this patch.
Relevant Architectures: sparc
Bugs fixed with this patch:
Changes incorporated in this version: 6726921 6728975 6791029
Patches accumulated and obsoleted by this patch: 110514-01
Patches which conflict with this patch:
Patches required with this patch: 108993-31 112438-03 (or greater)
Obsoleted by:
Files included with this patch:
/usr/include/arpa/nameser.h
/usr/include/arpa/nameser_compat.h
/usr/include/netdb.h
/usr/include/resolv.h
/usr/lib/abi/abi_libresolv.so.2
/usr/lib/abi/sparcv9/abi_libresolv.so.2
/usr/lib/dns/cylink.so.1
/usr/lib/dns/dig
/usr/lib/dns/dnssafe.so.1
/usr/lib/dns/host
/usr/lib/dns/irs.so.1
/usr/lib/dns/libbind9.so
/usr/lib/dns/libbind9.so.0
/usr/lib/dns/libbind9.so.0.0.10 (deleted)
/usr/lib/dns/libbind9.so.0.0.11
/usr/lib/dns/libdns.so
/usr/lib/dns/libdns.so.25 (deleted)
/usr/lib/dns/libdns.so.25.0.0 (deleted)
/usr/lib/dns/libdns.so.26
/usr/lib/dns/libdns.so.26.0.2
/usr/lib/dns/libisc.so
/usr/lib/dns/libisc.so.11 (deleted)
/usr/lib/dns/libisc.so.11.1.3 (deleted)
/usr/lib/dns/libisc.so.15
/usr/lib/dns/libisc.so.15.0.2
/usr/lib/dns/libisccc.so
/usr/lib/dns/libisccc.so.0
/usr/lib/dns/libisccc.so.0.2.3
/usr/lib/dns/libisccfg.so
/usr/lib/dns/libisccfg.so.1
/usr/lib/dns/libisccfg.so.1.0.10
/usr/lib/dns/libisccfg.so.1.0.8 (deleted)
/usr/lib/dns/liblwres.so
/usr/lib/dns/liblwres.so.9
/usr/lib/dns/liblwres.so.9.2.0
/usr/lib/dns/man/man1m/dig.1m
/usr/lib/dns/man/man1m/host.1m
/usr/lib/dns/man/man1m/named-checkconf.1m
/usr/lib/dns/man/man1m/named-checkzone.1m
/usr/lib/dns/man/man1m/named.1m
/usr/lib/dns/man/man1m/nslookup.1m
/usr/lib/dns/man/man1m/nsupdate.1m
/usr/lib/dns/man/man1m/rndc-confgen.1m
/usr/lib/dns/man/man1m/rndc.1m
/usr/lib/dns/man/man4/named.conf.4
/usr/lib/dns/man/man4/rndc.conf.4
/usr/lib/dns/migration.txt
/usr/lib/dns/named
/usr/lib/dns/named-checkconf
/usr/lib/dns/named-checkzone
/usr/lib/dns/nslookup
/usr/lib/dns/nsupdate
/usr/lib/dns/rndc
/usr/lib/dns/rndc-confgen
/usr/lib/dns/sparcv9/cylink.so.1
/usr/lib/dns/sparcv9/dnssafe.so.1
/usr/lib/dns/sparcv9/irs.so.1
/usr/lib/libresolv.so.2
/usr/lib/llib-lresolv
/usr/lib/llib-lresolv.ln
/usr/lib/nss_dns.so.1
/usr/lib/sparcv9/libresolv.so.2
/usr/lib/sparcv9/llib-lresolv.ln
/usr/lib/sparcv9/nss_dns.so.1
/usr/sbin/dnskeygen
/usr/sbin/in.named
/usr/sbin/named-bootconf
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nstest
/usr/sbin/nsupdate
Problem Description:
6726921 BIND 9.3.5-P1 breaks DNS (too many open file descriptors)
6728975 fix for 6702096 causes named ( 9.3.5.P1 ) to use high CPU usage
6791029 update BIND to version 9.3.6-P1
6752428 named source port used is the same as snmpdx
(from 109326-23)
6702096 BIND cache poisoning vulnerability CERT VU#800113
(from 109326-22)
4984937 BIND 8.2.4 in.named hangs with message db_freedata: DB_F_ACTIVE set
(from 109326-21)
4491688 inet_network has some sloppy code and needs to be cleaned up
6653976 potential vulnerability in BIND may lead to execution of arbitrary code or DoS [CVE-2008-0122]
(from 109326-20)
6596938 BIND 8 generates cryptographically weak DNS query IDs
(from 109326-19)
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
(from 109326-18)
6391459 ip6.int will be deprecated soon, switch to ip6.arpa
6179099 dnskeygen creates incompatible key file name for nsupdate
(from 109326-17)
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
(from 109326-16)
4879822 in.named core dumps, Solaris 8, Bind v. 8.2.2-P5
4471907 libresolv doesn't init in an ipv6 only environment
4500613 res_npquery (3RESOLV) not available in libresolv.so.2
4617431 mozilla dumps core when using post-4525129 libresolv2
4941011 nslookup 'view' command fails with 'sed: command garbled'
(from 109326-15)
4863307 nsupdate fails with more than 14 NS records for Bind 8.2.2 and 8.2.4
4933407 resolvers do not follow referrals
(from 109326-14)
4879704 ndc can't switch off tracing with notrace when in.named is under heavy load
(from 109326-13)
4928758 Negative Cache Poison Attack
(from 109326-12)
Respin only due to bad patching of 108993-27 through 108993-30.
(from 109326-11)
4353836 if more than 255 file descriptors are already open then gethostbyname fails
(from 109326-10)
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances
(from 109326-09)
4708913 CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
(from 109326-08)
4525129 DNS over TCP can induce gethostbyX(3NSL) meltdown
4646349 libresolv.so.2 leaks memory in multithreaded programs
(from 109326-07)
4500573 multithreaded applications block in DNS Name Service switch backend
(from 109326-06)
4451645 Clearcase 4.0 will not work with Solaris 8 4/2001
(from 109326-05)
4324375 rsh to machine with two interfaces on same subnet has problems with firewall
(from 109326-04)
4444745 DNS / BIND 8.2.2p5 in.named core during port scan
(from 109326-03)
4409676 CERT Advisory CA-2001-02/Solaris DNS (bind)
(from 109326-02)
This revision accumulates feature point patch 110514-01.
(from 109326-01)
4284409 libresolv does not protect itself from Netscape provided poll routine
(from 110514-01)
4349983 event library expects file modes to apply to AF_UNIX sockets
4365909 in.named crashed and burned in db_freedata
4300887 Solaris in.named compile omits CAN_CHANGE_ID/HAVE_CHROOT
4136555 sccs keyword expansion gives bad VER in in.named Makefile.com
4253123 nslookup displays truncated data if DNS entry has more than 5 long TXT records
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: To get the complete fix for 4324375 (rsh to machine with
two interfaces on same subnet has problems with firewall),
please also install the following patches:
111327-02 (or greater) /usr/lib/libsocket.so.1 patch
108985-03 (or greater) /usr/sbin/in.rshd patch
NOTE 2: To get complete fix for bug 4491688 (inet_network has some sloppy code
and needs to be cleaned up) and 6653976 (potential vulnerability in
BIND may lead to execution of arbitrary code or DoS [CVE-2008-0122]),
please also install the following patches:
111327-06 (or greater) libsocket patch
109152-03 (or greater) /usr/4lib/libc.so.x.9 and libdbm patch
NOTE 3: Administrators MUST migrate their recursive BIND servers from BIND 8
to BIND 9 to get relief for CR 6702096 (CERT VU#800113). That is to
say /usr/lib/dns/named must be used in place of /usr/sbin/in.named as
detailed below. The installation of this patch alone without migration
offers no protection from the security vulnerabilities which are
resolved by using BIND 9. For further information regarding the
security implications of running BIND 8 please refer to SunAlert 240048
(previously 239392):
http://sunsolve.sun.com/search/document.do?assetkey=1-66-240048-1
BIND 9 is provided in /usr/lib/dns by patch on the Solaris 8 Operating
Environment to enable customers to migrate from the older and insecure
version of BIND 8 provided in /usr/sbin/in.named.
NOTE: The list of 'patches required with this patch' (above) has been
modified from the list specified at patch creation time. The reason for
the modification is that one or more of the required patches was
either never released or withdrawn after its release. The following
substitutions (which are guaranteed to satisfy the original requirements)
were therefore made:
108993-31 replaces 108993-27
README -- Last modified date: Friday, November 9, 2012