OBSOLETE Patch-ID# 114265-23
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security in.dhcpd multi-interface bind srchlist nslookup gethostbyname getspnam_r
Synopsis: Obsoleted by: 114265-24 SunOS 5.9_x86: in.dhcpd libresolv and BIND9 patch
Date: Jul/21/2011
Install Requirements: See Special Install Instructions
Perform a reconfigure reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 9_x86
SunOS Release: 5.9_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 112837
Topic: SunOS 5.9_x86: in.dhcpd libresolv and BIND9 patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 7054901 7060712
Patches accumulated and obsoleted by this patch: 114354-11
Patches which conflict with this patch:
Patches required with this patch: 113719-06 115698-02 (or greater)
Obsoleted by:
Files included with this patch:
/usr/include/arpa/nameser.h
/usr/include/arpa/nameser_compat.h
/usr/include/netdb.h
/usr/include/resolv.h
/usr/lib/abi/abi_libresolv.so.2
/usr/lib/dns/cylink.so.1
/usr/lib/dns/dig
/usr/lib/dns/dnssafe.so.1
/usr/lib/dns/dnssec-dsfromkey
/usr/lib/dns/dnssec-keyfromlabel
/usr/lib/dns/dnssec-keygen
/usr/lib/dns/dnssec-signzone
/usr/lib/dns/host
/usr/lib/dns/irs.so.1
/usr/lib/dns/libbind9.so
/usr/lib/dns/libbind9.so.0 (deleted)
/usr/lib/dns/libbind9.so.0.0.10 (deleted)
/usr/lib/dns/libbind9.so.0.0.11 (deleted)
/usr/lib/dns/libbind9.so.50
/usr/lib/dns/libbind9.so.50.0.3 (deleted)
/usr/lib/dns/libbind9.so.50.0.4
/usr/lib/dns/libdns.so
/usr/lib/dns/libdns.so.25 (deleted)
/usr/lib/dns/libdns.so.25.0.0 (deleted)
/usr/lib/dns/libdns.so.26 (deleted)
/usr/lib/dns/libdns.so.26.0.2 (deleted)
/usr/lib/dns/libdns.so.53 (deleted)
/usr/lib/dns/libdns.so.53.0.0 (deleted)
/usr/lib/dns/libdns.so.58
/usr/lib/dns/libdns.so.58.0.0 (deleted)
/usr/lib/dns/libdns.so.58.1.4 (deleted)
/usr/lib/dns/libdns.so.58.1.5
/usr/lib/dns/libisc.so
/usr/lib/dns/libisc.so.11 (deleted)
/usr/lib/dns/libisc.so.11.1.3 (deleted)
/usr/lib/dns/libisc.so.15 (deleted)
/usr/lib/dns/libisc.so.15.0.2 (deleted)
/usr/lib/dns/libisc.so.50
/usr/lib/dns/libisc.so.50.1.1 (deleted)
/usr/lib/dns/libisc.so.50.3.1 (deleted)
/usr/lib/dns/libisc.so.50.4.1
/usr/lib/dns/libisccc.so
/usr/lib/dns/libisccc.so.0 (deleted)
/usr/lib/dns/libisccc.so.0.2.3 (deleted)
/usr/lib/dns/libisccc.so.50
/usr/lib/dns/libisccc.so.50.0.0 (deleted)
/usr/lib/dns/libisccc.so.50.0.1
/usr/lib/dns/libisccfg.so
/usr/lib/dns/libisccfg.so.1 (deleted)
/usr/lib/dns/libisccfg.so.1.0.10 (deleted)
/usr/lib/dns/libisccfg.so.1.0.8 (deleted)
/usr/lib/dns/libisccfg.so.50
/usr/lib/dns/libisccfg.so.50.0.0 (deleted)
/usr/lib/dns/libisccfg.so.50.0.1 (deleted)
/usr/lib/dns/libisccfg.so.50.0.3
/usr/lib/dns/liblwres.so
/usr/lib/dns/liblwres.so.50
/usr/lib/dns/liblwres.so.50.0.2 (deleted)
/usr/lib/dns/liblwres.so.50.0.3
/usr/lib/dns/liblwres.so.9 (deleted)
/usr/lib/dns/liblwres.so.9.2.0 (deleted)
/usr/lib/dns/man/man1m/dig.1m
/usr/lib/dns/man/man1m/dnssec-dsfromkey.1m
/usr/lib/dns/man/man1m/dnssec-keyfromlabel.1m
/usr/lib/dns/man/man1m/dnssec-keygen.1m
/usr/lib/dns/man/man1m/dnssec-signzone.1m
/usr/lib/dns/man/man1m/host.1m
/usr/lib/dns/man/man1m/named-checkconf.1m
/usr/lib/dns/man/man1m/named-checkzone.1m
/usr/lib/dns/man/man1m/named.1m
/usr/lib/dns/man/man1m/nslookup.1m
/usr/lib/dns/man/man1m/nsupdate.1m
/usr/lib/dns/man/man1m/rndc-confgen.1m
/usr/lib/dns/man/man1m/rndc.1m
/usr/lib/dns/man/man4/named.conf.4
/usr/lib/dns/man/man4/rndc.conf.4
/usr/lib/dns/migration.txt
/usr/lib/dns/named
/usr/lib/dns/named-checkconf
/usr/lib/dns/named-checkzone
/usr/lib/dns/nslookup
/usr/lib/dns/nsupdate
/usr/lib/dns/rndc
/usr/lib/dns/rndc-confgen
/usr/lib/inet/dhcp/nsu/rfc2136.so.1
/usr/lib/inet/in.dhcpd
/usr/lib/libresolv.so.2
/usr/lib/llib-lresolv
/usr/lib/llib-lresolv.ln
/usr/sbin/dig
/usr/sbin/dnskeygen
/usr/sbin/in.named
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nsupdate
Problem Description:
7054901 problem with DNS
7060712 problem with DNS
(from 114265-22)
7032027 BIND validation issues with initial .com DNSSEC records
7049040 problem with DNS
(from 114265-21)
6370597 in.dhcpd core dumps: double free on a DHCP network container record
6959836 DHCP server should set file limit even in debug mode
7002134 BIND 9.6-ESV-R3
7007643 BIND: named and associated tools try to load libraries from internal path
(from 114265-20)
6821966 ISC Security patch for BIND users of DLV
6902912 DNS Cache Poisoning
6916058 BIND 9.6.1-P3
(from 114265-19)
6865903 CVE-2009-0696 BIND dynamic update problem
(from 114265-18)
5085675 libresolv2 can cause apps to core in addrsort()
(from 114265-17)
6807730 patches 112837-17/114265-16 missed delivery of requested deletes
6752428 named source port used is the same as snmpdx
(from 114265-16)
6726921 BIND 9.3.5-P1 breaks DNS (too many open file descriptors)
6728975 fix for 6702096 causes named ( 9.3.5.P1 ) to use high CPU usage
6791029 update BIND to version 9.3.6-P1
(from 114265-15)
6573010 DHCP server fails to lock newly created client record
6619398 [CVE-2007-5365] potential buffer overflow due to crafted requests
6713805 DHCP server should not care about the number of offers
(from 114265-14)
6702096 BIND cache poisoning vulnerability CERT VU#800113
(from 114265-13)
6596938 BIND 8 generates cryptographically weak DNS query IDs
(from 114265-12)
6580417 Solaris 9 libresolv patches and DHCP patches are hard-dependent on each other
(from 114265-11)
6340650 in.dhcpd: must initialize statp structure before calling res_ninit()
6487719 libdhcpdu: must initialize statp structure before calling res_ninit()
(from 114265-10)
6418659 DHCP server provides bad address 0.0.0.0
6428870 in.dhcpd incorrectly reports 'Invalid value for option: LOGGING_FACILITY'
(from 114265-09)
5074510 in.dhcpd dumps core in dhcp_offer
(from 114265-08)
4840208 secondary assigning addresses owned by primary
4944796 fixes for 4840208, 4872379 removed part of fix for 4678758 due to mismerge
6220012 PXE boot does not work / in.dhcpd unicasts to wrong IP address
(from 114265-07)
4932150 DHCP DDNS updates fail because defunct records aren't deleted
(from 114265-06)
5086331 DHCP server doesn't reply to DHCPREQUEST, appears to treat as expired offer
(from 114265-05)
5098448 dhcpd offers duplicate IP-address in case of delayed releases
(from 114265-04)
Patch respun to explicitly require patch 115698-02.
(from 114265-03)
4981080 in.dhcpd does not DNS dynamic update if the DHCP client is WindowsNT4,98,95
(from 114265-02)
4678758 DHCP server complains unnecessarily when responding to DHCPINFORM clients
(from 114265-01)
4721862 in.dhcpd on multi-interface machine sometimes answers on wrong interface
(from 114354-11)
6248700 (rework) memory leak in libresolv
6337595 core dump - res_nsend() always assumes statp->_u._ext.ext not being NULL
(from 114354-10)
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
(from 114354-09)
6248700 memory leak in libresolv
(from 114354-08)
6315143 named could make unnecessary queries for glue if additional section was full
(from 114354-07)
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
(from 114354-06)
4863307 nsupdate fails with more than 14 NS records for BIND 8.2.2 and 8.2.4
(from 114354-05)
4928758 Negative Cache Poison Attack
(from 114354-04)
4874895 S9 x86 patches for 4353836 need to be respun with correct dependencies
(from 114354-03)
4353836 if more than 255 file descriptors are already open then gethostbyname fails
(from 114354-02)
4793327 BIND needs to be upgraded to BIND 8.3 to support IPv6
4796596 BIND 8.3.3 server handling of TSIG HMAC-MD5 broken
4805812 in.named version needs to reflect putback of BIND 8.3.3
4810893 UNIX98: *netdb.h* VSU test fails due to violation of X/Open namespace
(from 114354-01)
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: To get the complete fix for BugId's 4353836 (if more than 255 file
descriptors are open then gethostbyname fails) and 4874895 (S9 x86
patches for 4353836 need to be respun with correct dependencies),
please also install the following patches:
115546-02 (or greater) nss_files patch
115551-02 (or greater) nss_user patch
115543-02 (or greater) nss_compat.so.1 patch
NOTE 2: Although this patch encodes specifications that it should be
applied in single-user mode and a configuration reboot (boot -r)
done immediately after it is applied, careful analysis indicates
this is overcautious and it should be sufficient to either reboot
the system after patch installation OR to restart services*.
This patch may be activated without a reboot by restarting the
DHCP server, BIND server, NSCD server manually when convenient.
Until the services are restarted they will continue to run the
older version and may be vulnerable to any issues the patch
addresses.
* Additionally, applications using DNS library libresolv.so.2
should be restarted. if in doubt a reboot is the only
recommended course of action.
Restarting DHCP service:
------------------------
Example A. Restarting DHCP service (in.dhcpd) after patch has
been installed:
# cd /etc/init.d
# sh ./dhcp stop
# sh ./dhcp start
Restarting BIND (DNS) service:
------------------------------
By default named is started by /etc/init.d/inetsvc only when
/etc/named.conf exists.
The BIND server /usr/lib/dns/named should be used and not the
deprecated /usr/sbin/in.named, see NOTE 3 below.
In example B. the inetsvc file is searched using grep to
verify its been updated to invoke the BIND9 server and to
extract any command line options. Command pkill is used to
stop either the older BIND 8 server "in.named" or the BIND 9
server "named". The service is then started with options as
used in the modified inetsvc file.
Example B. Restarting BIND service:
# grep dns/named /etc/init.d/inetsvc
/usr/lib/dns/named -4 &
# pkill '^in.named$' || pkill '^named$'
# /usr/lib/dns/named -4
Restarting Name Service Cache daemon (NSCD)
-------------------------------------------
NSCD restart only required if 'dns' is listed for host name
lookup in /etc/nsswitch.conf. Example C shows shows a test
for the 'dns' setting and how to restart nscd(1m). As
mentioned above other applications may use DNS resolver
functions directly and so a reboot may be the only way to
certify all the changes are being used by all processes.
Example C. Checking for DNS use and restarting nscd:
# test -f /etc/resolv.conf && echo 'DNS configured'
DNS configured
# egrep -s '^(hosts|ipnodes):.*dns' /etc/nsswitch.conf &&
> echo 'Name Service configured to use DNS'
Name Service configured to use DNS
# cd /etc/init.d
# sh ./nscd stop
# sh ./nscd start
NOTE 3: Administrators MUST migrate their recursive BIND servers from
BIND 8 to BIND 9 to get relief for CR 6702096 (CERT VU#800113)
and subsequent vulnerabilities.
/usr/lib/dns/named must be used in place of /usr/sbin/in.named
The installation of this patch alone without migration offers
no protection from the security vulnerabilities which are
resolved by using BIND 9. For further information regarding
the security implications of running BIND 8 please refer to
SunAlert 240048 (previously 239392):
http://download.oracle.com/sunalerts/1019479.1.html
BIND 9 is provided in /usr/lib/dns by patch on the Solaris 9 Operating
Environment to enable customers to migrate from the older and insecure
version of BIND 8 provided in /usr/sbin/in.named.
For further details refer to the instructions in
/usr/lib/dns/migration.txt and the additional notes below.
NOTE 4: BIND configuration change for "query-source":
Due to the security vulnerability documented in Sun-Alert 239392
the named configuration file, /etc/named.conf, MUST NOT include
"query-source" or "query-source-v6" statements.
NOTE 5: BIND chroot environment device requirements:
A chroot(2) environment for named requires several devices; at time
of writing these include /dev/null, /dev/poll, /dev/random and
/dev/tty as observed in the following output:
$ strings /usr/lib/dns/named /usr/lib/dns/lib*.so | \
awk '/^\/dev\//{print $1}' | sort -u
/dev/null
/dev/poll
/dev/random
/dev/tty
$
To create missing chroot devices within a chroot directory simply
replicate the root devices nodes using mknod(1m), for example:
Example 1. Create poll device within chroot directory
/var/named/dev with same properties as root (/)
device using mknod(1M):
# ls -lL /dev/poll
crw-rw-rw- 1 root sys 138, 0 Jan 19 16:55 /dev/poll
# cd /var/named/dev
# ls
null random
# mknod poll c 138 0
# chmod 666 poll
# ls -ld /var/named/dev/poll
crw-rw-rw- 1 root root 138, 0 Mar 3 15:33 /var/named/dev/poll
#
NOTE 6: BIND configuration changes for recursive servers on non-local networks:
This patch will significantly restrict those servers that were
previously recursive servers for more than "localhost;
localnets;" unless configuration changes are made.
Prior to the release of BIND 9.4.1-P1, the default action of
"allow-recursion" and "allow-query-cache" was to permit the
query. Subsequently there are two changes in this behaviour:
1) If not explicitly set, the Access Control Lists (ACLs) for
"allow-query-cache" and "allow-recursion" are set to
"localnets; localhost;".
2) If either "allow-query-cache" or "allow-recursion" is set,
the other is set to the same value.
To retain the prior behaviour the configuration as provided in
example 2 could be deployed in named.conf. However this is
only suggested for use while a proper configuration is sort as
outlined below. It is not advised as clients spoofing queries
can use your servers to launch distributed denial-of-service
attacks.
Example 2. Temporary configuration of query responses
to retain previous functionality (not-recommended):
options {
...
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
...
};
The *recommended* configuration is to create ACLs that match
hosts and or networks that should be allowed access to cache
and recursion on the servers:
Example 3. Recommended configuration of query responses using ACLs:
acl "trusted" {
192.168.0.0/16;
10.153.154.0/24;
localhost;
localnets;
};
options {
...
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
...
};
The ACL above called "trusted" includes 192.168.0.0/16 and
10.153.154.0/24 as sample networks that would require
access. You must replace these sample networks with networks
that correctly reflect your environment. This will allow
anyone to query your server for authoritative data, but only
those hosts within the "trusted" ACL access to your cache and
recursion.
README -- Last modified date: Friday, November 9, 2012