OBSOLETE Patch-ID# 112837-24
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security dhcp dhcptab in.dhcpd multi-interface libresolv.so.2 leaks memory multi-threaded fd
Synopsis: Obsoleted by: 112837-25 SunOS 5.9: in.dhcpd libresolv and BIND9 patch
Date: Jul/21/2011
Install Requirements: See Special Install Instructions
Perform a reconfigure reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 9
SunOS Release: 5.9
Unbundled Product:
Unbundled Release:
Xref: This patch available for x86 as patch 114265
Topic: SunOS 5.9: in.dhcpd libresolv and BIND9 patch
Relevant Architectures: sparc
Bugs fixed with this patch:
Changes incorporated in this version: 7054901 7060712
Patches accumulated and obsoleted by this patch: 112970-12
Patches which conflict with this patch:
Patches required with this patch: 113319-14 115697-02 (or greater)
Obsoleted by:
Files included with this patch:
/usr/include/arpa/nameser.h
/usr/include/arpa/nameser_compat.h
/usr/include/netdb.h
/usr/include/resolv.h
/usr/lib/abi/abi_libresolv.so.2
/usr/lib/abi/sparcv9/abi_libresolv.so.2
/usr/lib/dns/cylink.so.1
/usr/lib/dns/dig
/usr/lib/dns/dnssafe.so.1
/usr/lib/dns/dnssec-dsfromkey
/usr/lib/dns/dnssec-keyfromlabel
/usr/lib/dns/dnssec-keygen
/usr/lib/dns/dnssec-signzone
/usr/lib/dns/host
/usr/lib/dns/irs.so.1
/usr/lib/dns/libbind9.so
/usr/lib/dns/libbind9.so.0 (deleted)
/usr/lib/dns/libbind9.so.0.0.10 (deleted)
/usr/lib/dns/libbind9.so.0.0.11 (deleted)
/usr/lib/dns/libbind9.so.50
/usr/lib/dns/libbind9.so.50.0.3 (deleted)
/usr/lib/dns/libbind9.so.50.0.4
/usr/lib/dns/libdns.so
/usr/lib/dns/libdns.so.25 (deleted)
/usr/lib/dns/libdns.so.25.0.0 (deleted)
/usr/lib/dns/libdns.so.26 (deleted)
/usr/lib/dns/libdns.so.26.0.2 (deleted)
/usr/lib/dns/libdns.so.53 (deleted)
/usr/lib/dns/libdns.so.53.0.0 (deleted)
/usr/lib/dns/libdns.so.58
/usr/lib/dns/libdns.so.58.0.0 (deleted)
/usr/lib/dns/libdns.so.58.1.4 (deleted)
/usr/lib/dns/libdns.so.58.1.5
/usr/lib/dns/libisc.so
/usr/lib/dns/libisc.so.11 (deleted)
/usr/lib/dns/libisc.so.11.1.3 (deleted)
/usr/lib/dns/libisc.so.15 (deleted)
/usr/lib/dns/libisc.so.15.0.2 (deleted)
/usr/lib/dns/libisc.so.50
/usr/lib/dns/libisc.so.50.1.1 (deleted)
/usr/lib/dns/libisc.so.50.3.1 (deleted)
/usr/lib/dns/libisc.so.50.4.1
/usr/lib/dns/libisccc.so
/usr/lib/dns/libisccc.so.0 (deleted)
/usr/lib/dns/libisccc.so.0.2.3 (deleted)
/usr/lib/dns/libisccc.so.50
/usr/lib/dns/libisccc.so.50.0.0 (deleted)
/usr/lib/dns/libisccc.so.50.0.1
/usr/lib/dns/libisccfg.so
/usr/lib/dns/libisccfg.so.1 (deleted)
/usr/lib/dns/libisccfg.so.1.0.10 (deleted)
/usr/lib/dns/libisccfg.so.1.0.8 (deleted)
/usr/lib/dns/libisccfg.so.50
/usr/lib/dns/libisccfg.so.50.0.0 (deleted)
/usr/lib/dns/libisccfg.so.50.0.1 (deleted)
/usr/lib/dns/libisccfg.so.50.0.3
/usr/lib/dns/liblwres.so
/usr/lib/dns/liblwres.so.50
/usr/lib/dns/liblwres.so.50.0.2 (deleted)
/usr/lib/dns/liblwres.so.50.0.3
/usr/lib/dns/liblwres.so.9 (deleted)
/usr/lib/dns/liblwres.so.9.2.0 (deleted)
/usr/lib/dns/man/man1m/dig.1m
/usr/lib/dns/man/man1m/dnssec-dsfromkey.1m
/usr/lib/dns/man/man1m/dnssec-keyfromlabel.1m
/usr/lib/dns/man/man1m/dnssec-keygen.1m
/usr/lib/dns/man/man1m/dnssec-signzone.1m
/usr/lib/dns/man/man1m/host.1m
/usr/lib/dns/man/man1m/named-checkconf.1m
/usr/lib/dns/man/man1m/named-checkzone.1m
/usr/lib/dns/man/man1m/named.1m
/usr/lib/dns/man/man1m/nslookup.1m
/usr/lib/dns/man/man1m/nsupdate.1m
/usr/lib/dns/man/man1m/rndc-confgen.1m
/usr/lib/dns/man/man1m/rndc.1m
/usr/lib/dns/man/man4/named.conf.4
/usr/lib/dns/man/man4/rndc.conf.4
/usr/lib/dns/migration.txt
/usr/lib/dns/named
/usr/lib/dns/named-checkconf
/usr/lib/dns/named-checkzone
/usr/lib/dns/nslookup
/usr/lib/dns/nsupdate
/usr/lib/dns/rndc
/usr/lib/dns/rndc-confgen
/usr/lib/dns/sparcv9/cylink.so.1
/usr/lib/dns/sparcv9/dnssafe.so.1
/usr/lib/dns/sparcv9/irs.so.1
/usr/lib/inet/dhcp/nsu/rfc2136.so.1
/usr/lib/inet/in.dhcpd
/usr/lib/libresolv.so.2
/usr/lib/llib-lresolv
/usr/lib/llib-lresolv.ln
/usr/lib/sparcv9/libresolv.so.2
/usr/lib/sparcv9/llib-lresolv.ln
/usr/sbin/dig
/usr/sbin/dnskeygen
/usr/sbin/in.named
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nsupdate
Problem Description:
7054901 problem with DNS
7060712 problem with DNS
(from 112837-23)
7032027 BIND validation issues with initial .com DNSSEC records
7049040 problem with DNS
(from 112837-22)
6370597 in.dhcpd core dumps: double free on a DHCP network container record
6959836 DHCP server should set file limit even in debug mode
7002134 BIND 9.6-ESV-R3
7007643 BIND: named and associated tools try to load libraries from internal path
(from 112837-21)
6821966 ISC Security patch for BIND users of DLV
6902912 DNS Cache Poisoning
6916058 BIND 9.6.1-P3
(from 112837-20)
6865903 CVE-2009-0696 BIND dynamic update problem
(from 112837-19)
5085675 libresolv2 can cause apps to core in addrsort()
(from 112837-18)
6807730 patches 112837-17/114265-16 missed delivery of requested deletes
6752428 named source port used is the same as snmpdx
(from 112837-17)
6726921 BIND 9.3.5-P1 breaks DNS (too many open file descriptors)
6728975 fix for 6702096 causes named ( 9.3.5.P1 ) to use high CPU usage
6791029 update BIND to version 9.3.6-P1
(from 112837-16)
6573010 DHCP server fails to lock newly created client record
6619398 [CVE-2007-5365] potential buffer overflow due to crafted requests
6713805 DHCP server should not care about the number of offers
(from 112837-15)
6702096 BIND cache poisoning vulnerability CERT VU#800113
(from 112837-14)
6596938 BIND 8 generates cryptographically weak DNS query IDs
(from 112837-13)
6580417 Solaris 9 libresolv patches and DHCP patches are hard-dependent on each other
(from 112837-12)
6340650 in.dhcpd: must initialize statp structure before calling res_ninit()
6487719 libdhcpdu: must initialize statp structure before calling res_ninit()
(from 112837-11)
6418659 DHCP server provides bad address 0.0.0.0
6428870 in.dhcpd incorrectly reports 'Invalid value for option: LOGGING_FACILITY'
(from 112837-10)
5074510 in.dhcpd dumps core in dhcp_offer
(from 112837-09)
4840208 secondary assigning addresses owned by primary
4944796 fixes for 4840208, 4872379 removed part of fix for 4678758 due to mismerge
6220012 PXE boot does not work / in.dhcpd unicasts to wrong IP address
(from 112837-08)
4932150 DHCP DDNS updates fail because defunct records aren't deleted
(from 112837-07)
5086331 DHCP server doesn't reply to DHCPREQUEST, appears to treat as expired offer
(from 112837-06)
5098448 dhcpd offers duplicate IP-address in case of delayed releases
(from 112837-05)
Patch respun to explicitly require patch 115697-02.
(from 112837-04)
4981080 in.dhcpd does not DNS dynamic update if the DHCP client is WindowsNT4,98,95
(from 112837-03)
4678758 DHCP server complains unnecessarily when responding to DHCPINFORM clients
(from 112837-02)
4721862 in.dhcpd on multi-interface machine sometimes answers on wrong interface
(from 112837-01)
4621740 DHCP server handles duplicate options in a dhcptab macro incorrectly
(from 112970-12)
6248700 (rework) memory leak in libresolv
6337595 core dump - res_nsend() always assumes statp->_u._ext.ext not being NULL
(from 112970-11)
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
(from 112970-10)
6248700 memory leak in libresolv
(from 112970-09)
6315143 named could make unnecessary queries for glue if additional section was full
(from 112970-08)
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
(from 112970-07)
4863307 nsupdate fails with more than 14 NS records for BIND 8.2.2 and 8.2.4
(from 112970-06)
4928758 Negative Cache Poison Attack
(from 112970-05)
4353836 if more than 255 file descriptors are already open then gethostbyname fails
(from 112970-04)
4793327 BIND needs to be upgraded to BIND 8.3 to support IPv6
4796596 BIND 8.3.3 server handling of TSIG HMAC-MD5 broken
4805812 in.named version needs to reflect putback of BIND 8.3.3
4810893 UNIX98: *netdb.h* VSU test fails due to violation of X/Open namespace
(from 112970-03)
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances
(from 112970-02)
4708913 CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
(from 112970-01)
4646349 libresolv.so.2 leaks memory in multi-threaded programs
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: To get the complete fix for BugId 4353836 (if more than 255 file
descriptors are open then gethostbyname fails), please also install
the following patches:
115545-01 (or greater) nss_files patch
115544-01 (or greater) nss_compat patch
115542-01 (or greater) nss_user patch
NOTE 2: Although this patch encodes specifications that it should be
applied in single-user mode and a configuration reboot (boot -r)
done immediately after it is applied, careful analysis indicates
this is overcautious and it should be sufficient to either reboot
the system after patch installation OR to restart services*.
This patch may be activated without a reboot by restarting the
DHCP server, BIND server, NSCD server manually when convenient.
Until the services are restarted they will continue to run the
older version and may be vulnerable to any issues the patch
addresses.
* Additionally, applications using DNS library libresolv.so.2
should be restarted. if in doubt a reboot is the only
recommended course of action.
Restarting DHCP service:
------------------------
Example A. Restarting DHCP service (in.dhcpd) after patch has
been installed:
# cd /etc/init.d
# sh ./dhcp stop
# sh ./dhcp start
Restarting BIND (DNS) service:
------------------------------
By default named is started by /etc/init.d/inetsvc only when
/etc/named.conf exists.
The BIND server /usr/lib/dns/named should be used and not the
deprecated /usr/sbin/in.named, see NOTE 3 below.
In example B. the inetsvc file is searched using grep to
verify its been updated to invoke the BIND9 server and to
extract any command line options. Command pkill is used to
stop either the older BIND 8 server "in.named" or the BIND 9
server "named". The service is then started with options as
used in the modified inetsvc file.
Example B. Restarting BIND service:
# grep dns/named /etc/init.d/inetsvc
/usr/lib/dns/named -4 &
# pkill '^in.named$' || pkill '^named$'
# /usr/lib/dns/named -4
Restarting Name Service Cache daemon (NSCD)
-------------------------------------------
NSCD restart only required if 'dns' is listed for host name
lookup in /etc/nsswitch.conf. Example C shows shows a test
for the 'dns' setting and how to restart nscd(1m). As
mentioned above other applications may use DNS resolver
functions directly and so a reboot may be the only way to
certify all the changes are being used by all processes.
Example C. Checking for DNS use and restarting nscd:
# test -f /etc/resolv.conf && echo 'DNS configured'
DNS configured
# egrep -s '^(hosts|ipnodes):.*dns' /etc/nsswitch.conf &&
> echo 'Name Service configured to use DNS'
Name Service configured to use DNS
# cd /etc/init.d
# sh ./nscd stop
# sh ./nscd start
NOTE 3: Administrators MUST migrate their recursive BIND servers from
BIND 8 to BIND 9 to get relief for CR 6702096 (CERT VU#800113)
and subsequent vulnerabilities.
/usr/lib/dns/named must be used in place of /usr/sbin/in.named
The installation of this patch alone without migration offers
no protection from the security vulnerabilities which are
resolved by using BIND 9. For further information regarding
the security implications of running BIND 8 please refer to
SunAlert 240048 (previously 239392):
http://download.oracle.com/sunalerts/1019479.1.html
BIND 9 is provided in /usr/lib/dns by patch on the Solaris 9 Operating
Environment to enable customers to migrate from the older and insecure
version of BIND 8 provided in /usr/sbin/in.named.
For further details refer to the instructions in
/usr/lib/dns/migration.txt and the additional notes below.
NOTE 4: BIND configuration change for "query-source":
Due to the security vulnerability documented in Sun-Alert 239392
the named configuration file, /etc/named.conf, MUST NOT include
"query-source" or "query-source-v6" statements.
NOTE 5: BIND chroot environment device requirements:
A chroot(2) environment for named requires several devices; at time
of writing these include /dev/null, /dev/poll, /dev/random and
/dev/tty as observed in the following output:
$ strings /usr/lib/dns/named /usr/lib/dns/lib*.so | \
awk '/^\/dev\//{print $1}' | sort -u
/dev/null
/dev/poll
/dev/random
/dev/tty
$
To create missing chroot devices within a chroot directory simply
replicate the root devices nodes using mknod(1m), for example:
Example 1. Create poll device within chroot directory
/var/named/dev with same properties as root (/)
device using mknod(1M):
# ls -lL /dev/poll
crw-rw-rw- 1 root sys 138, 0 Jan 19 16:55 /dev/poll
# cd /var/named/dev
# ls
null random
# mknod poll c 138 0
# chmod 666 poll
# ls -ld /var/named/dev/poll
crw-rw-rw- 1 root root 138, 0 Mar 3 15:33 /var/named/dev/poll
#
NOTE 6: BIND configuration changes for recursive servers on non-local networks:
This patch will significantly restrict those servers that were
previously recursive servers for more than "localhost;
localnets;" unless configuration changes are made.
Prior to the release of BIND 9.4.1-P1, the default action of
"allow-recursion" and "allow-query-cache" was to permit the
query. Subsequently there are two changes in this behaviour:
1) If not explicitly set, the Access Control Lists (ACLs) for
"allow-query-cache" and "allow-recursion" are set to
"localnets; localhost;".
2) If either "allow-query-cache" or "allow-recursion" is set,
the other is set to the same value.
To retain the prior behaviour the configuration as provided in
example 2 could be deployed in named.conf. However this is
only suggested for use while a proper configuration is sort as
outlined below. It is not advised as clients spoofing queries
can use your servers to launch distributed denial-of-service
attacks.
Example 2. Temporary configuration of query responses
to retain previous functionality (not-recommended):
options {
...
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
...
};
The *recommended* configuration is to create ACLs that match
hosts and or networks that should be allowed access to cache
and recursion on the servers:
Example 3. Recommended configuration of query responses using ACLs:
acl "trusted" {
192.168.0.0/16;
10.153.154.0/24;
localhost;
localnets;
};
options {
...
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
...
};
The ACL above called "trusted" includes 192.168.0.0/16 and
10.153.154.0/24 as sample networks that would require
access. You must replace these sample networks with networks
that correctly reflect your environment. This will allow
anyone to query your server for authoritative data, but only
those hosts within the "trusted" ACL access to your cache and
recursion.
NOTE: The list of 'patches required with this patch' (above) has been
modified from the list specified at patch creation time. The reason for
the modification is that one or more of the required patches was
either never released or withdrawn after its release. The following
substitutions (which are guaranteed to satisfy the original requirements)
were therefore made:
113319-14 replaces 113319-12
README -- Last modified date: Friday, November 9, 2012