OBSOLETE Patch-ID# 112837-24

7054901 problem with DNS
7060712 problem with DNS
 
(from 112837-23)
 
7032027 BIND validation issues with initial .com DNSSEC records
7049040 problem with DNS
 
(from 112837-22)
 
6370597 in.dhcpd core dumps: double free on a DHCP network container record
6959836 DHCP server should set file limit even in debug mode
7002134 BIND 9.6-ESV-R3
7007643 BIND: named and associated tools try to load libraries from internal path
 
(from 112837-21)
 
6821966 ISC Security patch for BIND users of DLV
6902912 DNS Cache Poisoning
6916058 BIND 9.6.1-P3
 
(from 112837-20)
 
6865903 CVE-2009-0696 BIND dynamic update problem
 
(from 112837-19)
 
5085675 libresolv2 can cause apps to core in addrsort()
 
(from 112837-18)
 
6807730 patches 112837-17/114265-16 missed delivery of requested deletes
6752428 named source port used is the same as snmpdx
 
(from 112837-17)
 
6726921 BIND 9.3.5-P1 breaks DNS (too many open file descriptors)
6728975 fix for 6702096 causes named ( 9.3.5.P1 ) to use high CPU usage
6791029 update BIND to version 9.3.6-P1
 
(from 112837-16)
 
6573010 DHCP server fails to lock newly created client record
6619398 [CVE-2007-5365] potential buffer overflow due to crafted requests
6713805 DHCP server should not care about the number of offers
 
(from 112837-15)
 
6702096 BIND cache poisoning vulnerability CERT VU#800113
 
(from 112837-14)
 
6596938 BIND 8 generates cryptographically weak DNS query IDs
 
(from 112837-13)
 
6580417 Solaris 9 libresolv patches and DHCP patches are hard-dependent on each other
 
(from 112837-12)
 
6340650 in.dhcpd: must initialize statp structure before calling res_ninit()
6487719 libdhcpdu: must initialize statp structure before calling res_ninit()
 
(from 112837-11)
 
6418659 DHCP server provides bad address 0.0.0.0
6428870 in.dhcpd incorrectly reports 'Invalid value for option: LOGGING_FACILITY'
 
(from 112837-10)
 
5074510 in.dhcpd dumps core in dhcp_offer
 
(from 112837-09)
 
4840208 secondary assigning addresses owned by primary
4944796 fixes for 4840208, 4872379 removed part of fix for 4678758 due to mismerge
6220012 PXE boot does not work / in.dhcpd unicasts to wrong IP address
 
(from 112837-08)
 
4932150 DHCP DDNS updates fail because defunct records aren't deleted
 
(from 112837-07)
 
5086331 DHCP server doesn't reply to DHCPREQUEST, appears to treat as expired offer
 
(from 112837-06)
 
5098448 dhcpd offers duplicate IP-address in case of delayed releases
 
(from 112837-05)
 
        Patch respun to explicitly require patch 115697-02.
 
(from 112837-04)
 
4981080 in.dhcpd does not DNS dynamic update if the DHCP client is WindowsNT4,98,95
 
(from 112837-03)
 
4678758 DHCP server complains unnecessarily when responding to DHCPINFORM clients
 
(from 112837-02)
 
4721862 in.dhcpd on multi-interface machine sometimes answers on wrong interface
 
(from 112837-01)
 
4621740 DHCP server handles duplicate options in a dhcptab macro incorrectly
 
(from 112970-12)
 
6248700 (rework) memory leak in libresolv
6337595 core dump - res_nsend() always assumes statp->_u._ext.ext not being NULL
 
(from 112970-11)
 
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
 
(from 112970-10)
 
6248700 memory leak in libresolv
 
(from 112970-09)
 
6315143 named could make unnecessary queries for glue if additional section was full
 
(from 112970-08)
 
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
 
(from 112970-07)
 
4863307 nsupdate fails with more than 14 NS records for BIND 8.2.2 and 8.2.4
 
(from 112970-06)
 
4928758 Negative Cache Poison Attack
 
(from 112970-05)
 
4353836 if more than 255 file descriptors are already open then gethostbyname fails
 
(from 112970-04)
 
4793327 BIND needs to be upgraded to BIND 8.3 to support IPv6
4796596 BIND 8.3.3 server handling of TSIG HMAC-MD5 broken
4805812 in.named version needs to reflect putback of BIND 8.3.3
4810893 UNIX98: *netdb.h* VSU test fails due to violation of X/Open namespace
 
(from 112970-03)
 
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances
 
(from 112970-02)
 
4708913 CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
 
(from 112970-01)
 
4646349 libresolv.so.2 leaks memory in multi-threaded programs

--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.

-----------------------------
 
NOTE 1: To get the complete fix for BugId 4353836 (if more than 255 file
        descriptors are open then gethostbyname fails), please also install
        the following patches:
 
        115545-01 (or greater)  nss_files patch
        115544-01 (or greater)  nss_compat patch
        115542-01 (or greater)  nss_user patch
 
NOTE 2: Although this patch encodes specifications that it should be
        applied in single-user mode and a configuration reboot (boot -r)
        done immediately after it is applied, careful analysis indicates
        this is overcautious and it should be sufficient to either reboot
        the system after patch installation OR to restart services*.
 
        This patch may be activated without a reboot by restarting the
        DHCP server, BIND server, NSCD server manually when convenient.
 
        Until the services are restarted they will continue to run the
        older version and may be vulnerable to any issues the patch
        addresses.
 
        * Additionally, applications using DNS library libresolv.so.2
          should be restarted.  if in doubt a reboot is the only
          recommended course of action.
 
        Restarting DHCP service:
        ------------------------
 
        Example A. Restarting DHCP service (in.dhcpd) after patch has
        been installed:
 
        # cd /etc/init.d
        # sh ./dhcp stop
        # sh ./dhcp start
 
        Restarting BIND (DNS) service:
        ------------------------------
 
        By default named is started by /etc/init.d/inetsvc only when
        /etc/named.conf exists.
 
        The BIND server /usr/lib/dns/named should be used and not the
        deprecated /usr/sbin/in.named, see NOTE 3 below.
 
        In example B. the inetsvc file is searched using grep to
        verify its been updated to invoke the BIND9 server and to
        extract any command line options. Command pkill is used to
        stop either the older BIND 8 server "in.named" or the BIND 9
        server "named".  The service is then started with options as
        used in the modified inetsvc file.
 
        Example B. Restarting BIND service:
 
        # grep dns/named /etc/init.d/inetsvc
                /usr/lib/dns/named -4 &
        # pkill '^in.named$' || pkill '^named$'
        # /usr/lib/dns/named -4
 
	Restarting Name Service Cache daemon (NSCD)
	-------------------------------------------
 
	NSCD restart only required if 'dns' is listed for host name
        lookup in /etc/nsswitch.conf.  Example C shows shows a test
        for the 'dns' setting and how to restart nscd(1m).  As
        mentioned above other applications may use DNS resolver
        functions directly and so a reboot may be the only way to
        certify all the changes are being used by all processes.
 
        Example C. Checking for DNS use and restarting nscd:
 
	# test -f /etc/resolv.conf && echo 'DNS configured'
        DNS configured
        # egrep -s '^(hosts|ipnodes):.*dns' /etc/nsswitch.conf &&
        >  echo 'Name Service configured to use DNS'
	Name Service configured to use DNS
        # cd /etc/init.d
        # sh ./nscd stop
        # sh ./nscd start
 
NOTE 3: Administrators MUST migrate their recursive BIND servers from
        BIND 8 to BIND 9 to get relief for CR 6702096 (CERT VU#800113)
        and subsequent vulnerabilities.
 
        /usr/lib/dns/named must be used in place of /usr/sbin/in.named
        The installation of this patch alone without migration offers
        no protection from the security vulnerabilities which are
        resolved by using BIND 9.  For further information regarding
        the security implications of running BIND 8 please refer to
        SunAlert 240048 (previously 239392):
        http://download.oracle.com/sunalerts/1019479.1.html
 
        BIND 9 is provided in /usr/lib/dns by patch on the Solaris 9 Operating
        Environment to enable customers to migrate from the older and insecure
        version of BIND 8 provided in /usr/sbin/in.named.
 
        For further details refer to the instructions in
        /usr/lib/dns/migration.txt and the additional notes below.
 
NOTE 4: BIND configuration change for "query-source":
 
        Due to the security vulnerability documented in Sun-Alert 239392
        the named configuration file, /etc/named.conf, MUST NOT include
        "query-source" or "query-source-v6" statements.
 
NOTE 5: BIND chroot environment device requirements:
 
        A chroot(2) environment for named requires several devices; at time
        of writing these include /dev/null, /dev/poll, /dev/random and
        /dev/tty as observed in the following output:
 
        $ strings /usr/lib/dns/named /usr/lib/dns/lib*.so | \
          awk '/^\/dev\//{print $1}' | sort -u
        /dev/null
        /dev/poll
        /dev/random
        /dev/tty
        $
 
        To create missing chroot devices within a chroot directory simply
        replicate the root devices nodes using mknod(1m), for example:
 
        Example 1.  Create poll device within chroot directory
                    /var/named/dev with same properties as root (/)
                    device using mknod(1M):
 
        # ls -lL /dev/poll
        crw-rw-rw-   1 root    sys     138,  0 Jan 19 16:55 /dev/poll
        # cd /var/named/dev
        # ls
        null    random
        # mknod poll c 138 0
        # chmod 666 poll
        # ls -ld /var/named/dev/poll
        crw-rw-rw-   1 root    root    138,  0 Mar  3 15:33 /var/named/dev/poll
        #
 
NOTE 6: BIND configuration changes for recursive servers on non-local networks:
 
        This patch will significantly restrict those servers that were
        previously recursive servers for more than "localhost;
        localnets;" unless configuration changes are made.
 
        Prior to the release of BIND 9.4.1-P1, the default action of
        "allow-recursion" and "allow-query-cache" was to permit the
        query. Subsequently there are two changes in this behaviour:
 
        1) If not explicitly set, the Access Control Lists (ACLs) for
           "allow-query-cache" and "allow-recursion" are set to
           "localnets; localhost;".
 
        2) If either "allow-query-cache" or "allow-recursion" is set,
           the other is set to the same value.
 
        To retain the prior behaviour the configuration as provided in
        example 2 could be deployed in named.conf.  However this is
        only suggested for use while a proper configuration is sort as
        outlined below. It is not advised as clients spoofing queries
        can use your servers to launch distributed denial-of-service
        attacks.
 
        Example 2. Temporary configuration of query responses
                   to retain previous functionality (not-recommended):
 
        options {
           ...
           allow-recursion { any; };
           allow-query { any; };
           allow-query-cache { any; };
           ...
        };
 
        The *recommended* configuration is to create ACLs that match
        hosts and or networks that should be allowed access to cache
        and recursion on the servers:
 
        Example 3. Recommended configuration of query responses using ACLs:
 
        acl "trusted" {
           192.168.0.0/16;
           10.153.154.0/24;
           localhost;
           localnets;
        };
 
        options {
           ...
           allow-query { any; };
           allow-recursion { trusted; };
           allow-query-cache { trusted; };
           ...
        };
 
        The ACL above called "trusted" includes 192.168.0.0/16 and
        10.153.154.0/24 as sample networks that would require
        access. You must replace these sample networks with networks
        that correctly reflect your environment. This will allow
        anyone to query your server for authoritative data, but only
        those hosts within the "trusted" ACL access to your cache and
        recursion.

NOTE: The list of 'patches required with this patch' (above) has been
modified from the list specified at patch creation time. The reason for
the modification is that one or more of the required patches was
either never released or withdrawn after its release. The following
substitutions (which are guaranteed to satisfy the original requirements)
were therefore made:

113319-14 replaces 113319-12