OBSOLETE Patch-ID# 109326-24


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security libresolv poll() bind 8.2.2 in.named resolver authentication query bind9
Synopsis: Obsoleted by: 109326-25 SunOS 5.8: libresolv.so.2, in.named and BIND9 patch
Date: Mar/09/2009


Install Requirements: See Special Install Instructions
After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 8

SunOS Release: 5.8

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 109327

Topic: SunOS 5.8: libresolv.so.2, in.named and BIND9 patch
	NOTE:   Refer to Special Install Instructions section for
                IMPORTANT specific information on this patch.


Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #
413655514961791
425312314993168
428440915004027
430088715010234
432437515019749
434998315030565
435383615032080
436590915036518
440967615051225
444474515060530
445164515062365
447190715068917
449168815075623
450057315078414
450061315078443
452512915086653
461743115091769
464634915098884
470030515111249
470891315113512
477771515133084
486330715159863
487970415164535
487982215164571
492875815178716
493340715180075
494101115181953
498493715194025
617909915232008
620505615239844
630085315277823
639145915315519
652702015379909
659693815418966
665397615452692
670209615480386
672692115495123
672897515496392
675242815510782
679102915533550


Changes incorporated in this version: 6726921 6728975 6791029

Patches accumulated and obsoleted by this patch: 110514-01

Patches which conflict with this patch:

Patches required with this patch: 108993-31 112438-03 (or greater)

Obsoleted by:

Files included with this patch:

/usr/include/arpa/nameser.h
/usr/include/arpa/nameser_compat.h
/usr/include/netdb.h
/usr/include/resolv.h
/usr/lib/abi/abi_libresolv.so.2
/usr/lib/abi/sparcv9/abi_libresolv.so.2
/usr/lib/dns/cylink.so.1
/usr/lib/dns/dig
/usr/lib/dns/dnssafe.so.1
/usr/lib/dns/host
/usr/lib/dns/irs.so.1
/usr/lib/dns/libbind9.so
/usr/lib/dns/libbind9.so.0
/usr/lib/dns/libbind9.so.0.0.10 (deleted)
/usr/lib/dns/libbind9.so.0.0.11
/usr/lib/dns/libdns.so
/usr/lib/dns/libdns.so.25 (deleted)
/usr/lib/dns/libdns.so.25.0.0 (deleted)
/usr/lib/dns/libdns.so.26
/usr/lib/dns/libdns.so.26.0.2
/usr/lib/dns/libisc.so
/usr/lib/dns/libisc.so.11 (deleted)
/usr/lib/dns/libisc.so.11.1.3 (deleted)
/usr/lib/dns/libisc.so.15
/usr/lib/dns/libisc.so.15.0.2
/usr/lib/dns/libisccc.so
/usr/lib/dns/libisccc.so.0
/usr/lib/dns/libisccc.so.0.2.3
/usr/lib/dns/libisccfg.so
/usr/lib/dns/libisccfg.so.1
/usr/lib/dns/libisccfg.so.1.0.10
/usr/lib/dns/libisccfg.so.1.0.8 (deleted)
/usr/lib/dns/liblwres.so
/usr/lib/dns/liblwres.so.9
/usr/lib/dns/liblwres.so.9.2.0
/usr/lib/dns/man/man1m/dig.1m
/usr/lib/dns/man/man1m/host.1m
/usr/lib/dns/man/man1m/named-checkconf.1m
/usr/lib/dns/man/man1m/named-checkzone.1m
/usr/lib/dns/man/man1m/named.1m
/usr/lib/dns/man/man1m/nslookup.1m
/usr/lib/dns/man/man1m/nsupdate.1m
/usr/lib/dns/man/man1m/rndc-confgen.1m
/usr/lib/dns/man/man1m/rndc.1m
/usr/lib/dns/man/man4/named.conf.4
/usr/lib/dns/man/man4/rndc.conf.4
/usr/lib/dns/migration.txt
/usr/lib/dns/named
/usr/lib/dns/named-checkconf
/usr/lib/dns/named-checkzone
/usr/lib/dns/nslookup
/usr/lib/dns/nsupdate
/usr/lib/dns/rndc
/usr/lib/dns/rndc-confgen
/usr/lib/dns/sparcv9/cylink.so.1
/usr/lib/dns/sparcv9/dnssafe.so.1
/usr/lib/dns/sparcv9/irs.so.1
/usr/lib/libresolv.so.2
/usr/lib/llib-lresolv
/usr/lib/llib-lresolv.ln
/usr/lib/nss_dns.so.1
/usr/lib/sparcv9/libresolv.so.2
/usr/lib/sparcv9/llib-lresolv.ln
/usr/lib/sparcv9/nss_dns.so.1
/usr/sbin/dnskeygen
/usr/sbin/in.named
/usr/sbin/named-bootconf
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nstest
/usr/sbin/nsupdate

Problem Description:

6726921 BIND 9.3.5-P1 breaks DNS (too many open file descriptors)
6728975 fix for 6702096 causes named ( 9.3.5.P1 ) to use high CPU usage
6791029 update BIND to version 9.3.6-P1
6752428 named source port used is the same as snmpdx
 
(from 109326-23)
 
6702096 BIND cache poisoning vulnerability CERT VU#800113
 
(from 109326-22)
 
4984937 BIND 8.2.4 in.named hangs with message db_freedata: DB_F_ACTIVE set
 
(from 109326-21)
 
4491688 inet_network has some sloppy code and needs to be cleaned up
6653976 potential vulnerability in BIND may lead to execution of arbitrary code or DoS [CVE-2008-0122]
 
(from 109326-20)
 
6596938 BIND 8 generates cryptographically weak DNS query IDs
 
(from 109326-19)
 
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
 
(from 109326-18)
 
6391459 ip6.int will be deprecated soon, switch to ip6.arpa
6179099 dnskeygen creates incompatible key file name for nsupdate
 
(from 109326-17)
 
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
 
(from 109326-16)
 
4879822 in.named core dumps, Solaris 8, Bind v. 8.2.2-P5
4471907 libresolv doesn't init in an ipv6 only environment
4500613 res_npquery (3RESOLV) not available in libresolv.so.2
4617431 mozilla dumps core when using post-4525129 libresolv2
4941011 nslookup 'view' command fails with 'sed: command garbled'
 
(from 109326-15)
 
4863307 nsupdate fails with more than 14 NS records for Bind 8.2.2 and 8.2.4
4933407 resolvers do not follow referrals
 
(from 109326-14)
 
4879704 ndc can't switch off tracing with notrace when in.named is under heavy load
 
(from 109326-13)
 
4928758 Negative Cache Poison Attack
 
(from 109326-12)
 
        Respin only due to bad patching of 108993-27 through 108993-30.
 
(from 109326-11)
 
4353836 if more than 255 file descriptors are already open then gethostbyname fails
 
(from 109326-10)
 
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances
 
(from 109326-09)
 
4708913 CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
 
(from 109326-08)
 
4525129 DNS over TCP can induce gethostbyX(3NSL) meltdown
4646349 libresolv.so.2 leaks memory in multithreaded programs
 
(from 109326-07)
 
4500573 multithreaded applications block in DNS Name Service switch backend
 
(from 109326-06)
 
4451645 Clearcase 4.0 will not work with Solaris 8 4/2001
 
(from 109326-05)
 
4324375 rsh to machine with two interfaces on same subnet has problems with firewall
 
(from 109326-04)
 
4444745 DNS / BIND 8.2.2p5 in.named core during port scan
 
(from 109326-03)
 
4409676 CERT Advisory CA-2001-02/Solaris DNS (bind)
 
(from 109326-02)
 
        This revision accumulates feature point patch 110514-01.
 
(from 109326-01)
 
4284409 libresolv does not protect itself from Netscape provided poll routine
 
(from 110514-01)
 
4349983 event library expects file modes to apply to AF_UNIX sockets
4365909 in.named crashed and burned in db_freedata
4300887 Solaris in.named compile omits CAN_CHANGE_ID/HAVE_CHROOT
4136555 sccs keyword expansion gives bad VER in in.named Makefile.com
4253123 nslookup displays truncated data if DNS entry has more than 5 long TXT records


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE  1: To get the complete fix for 4324375 (rsh to machine with
         two interfaces on same subnet has problems with firewall),
         please also install the following patches:
 
         111327-02 (or greater)  /usr/lib/libsocket.so.1 patch
         108985-03 (or greater)  /usr/sbin/in.rshd patch
 
NOTE  2: To get complete fix for bug 4491688 (inet_network has some sloppy code
         and needs to be cleaned up) and 6653976 (potential vulnerability in
         BIND may lead to execution of arbitrary code or DoS [CVE-2008-0122]),
         please also install the following patches:
 
         111327-06 (or greater)  libsocket patch
         109152-03 (or greater)  /usr/4lib/libc.so.x.9 and libdbm patch
 
NOTE  3: Administrators MUST migrate their recursive BIND servers from BIND 8
         to BIND 9 to get relief for CR 6702096 (CERT VU#800113).  That is to
         say /usr/lib/dns/named must be used in place of /usr/sbin/in.named as
         detailed below.  The installation of this patch alone without migration
         offers no protection from the security vulnerabilities which are
         resolved by using BIND 9.  For further information regarding the
         security implications of running BIND 8 please refer to SunAlert 240048
         (previously 239392):
 
         http://sunsolve.sun.com/search/document.do?assetkey=1-66-240048-1
 
         BIND 9 is provided in /usr/lib/dns by patch on the Solaris 8 Operating
         Environment to enable customers to migrate from the older and insecure
         version of BIND 8 provided in /usr/sbin/in.named.


NOTE: The list of 'patches required with this patch' (above) has been
modified from the list specified at patch creation time. The reason for
the modification is that one or more of the required patches was
either never released or withdrawn after its release. The following
substitutions (which are guaranteed to satisfy the original requirements)
were therefore made:

108993-31 replaces 108993-27




README -- Last modified date: Friday, November 9, 2012