OBSOLETE Patch-ID# 114265-23


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security in.dhcpd multi-interface bind srchlist nslookup gethostbyname getspnam_r
Synopsis: Obsoleted by: 114265-24 SunOS 5.9_x86: in.dhcpd libresolv and BIND9 patch
Date: Jul/21/2011


Install Requirements: See Special Install Instructions
Perform a reconfigure reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 9_x86

SunOS Release: 5.9_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 112837

Topic: SunOS 5.9_x86: in.dhcpd libresolv and BIND9 patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
435383615032080
467875815106433
470030515111249
472186215116699
477771515133084
479332715137855
479659615139019
480581215142295
481089315143950
484020815153281
486330715159863
487489515163046
492875815178716
493215015179742
494479615182800
498108015192861
507451015218858
508567515222556
508633115222761
509844815226445
620505615239844
622001215245535
624870015257533
630085315277823
631514315283514
633759515292372
634065015293619
637059715306062
641865915327456
642887015331855
648771915358383
652702015379909
657301015405645
658041715409788
659693815418966
661939815432374
670209615480386
671380515486931
672692115495123
672897515496392
675242815510782
679102915533550
680773015543305
682196615551641
686590315578870
690291215604842
691605815614747
695983615648746
700213415683117
700764315687642
703202715705822
704904015718621
705490115722244
706071215725328


Changes incorporated in this version: 7054901 7060712

Patches accumulated and obsoleted by this patch: 114354-11

Patches which conflict with this patch:

Patches required with this patch: 113719-06 115698-02 (or greater)

Obsoleted by:

Files included with this patch:

/usr/include/arpa/nameser.h
/usr/include/arpa/nameser_compat.h
/usr/include/netdb.h
/usr/include/resolv.h
/usr/lib/abi/abi_libresolv.so.2
/usr/lib/dns/cylink.so.1
/usr/lib/dns/dig
/usr/lib/dns/dnssafe.so.1
/usr/lib/dns/dnssec-dsfromkey
/usr/lib/dns/dnssec-keyfromlabel
/usr/lib/dns/dnssec-keygen
/usr/lib/dns/dnssec-signzone
/usr/lib/dns/host
/usr/lib/dns/irs.so.1
/usr/lib/dns/libbind9.so
/usr/lib/dns/libbind9.so.0 (deleted)
/usr/lib/dns/libbind9.so.0.0.10 (deleted)
/usr/lib/dns/libbind9.so.0.0.11 (deleted)
/usr/lib/dns/libbind9.so.50
/usr/lib/dns/libbind9.so.50.0.3 (deleted)
/usr/lib/dns/libbind9.so.50.0.4
/usr/lib/dns/libdns.so
/usr/lib/dns/libdns.so.25 (deleted)
/usr/lib/dns/libdns.so.25.0.0 (deleted)
/usr/lib/dns/libdns.so.26 (deleted)
/usr/lib/dns/libdns.so.26.0.2 (deleted)
/usr/lib/dns/libdns.so.53 (deleted)
/usr/lib/dns/libdns.so.53.0.0 (deleted)
/usr/lib/dns/libdns.so.58
/usr/lib/dns/libdns.so.58.0.0 (deleted)
/usr/lib/dns/libdns.so.58.1.4 (deleted)
/usr/lib/dns/libdns.so.58.1.5
/usr/lib/dns/libisc.so
/usr/lib/dns/libisc.so.11 (deleted)
/usr/lib/dns/libisc.so.11.1.3 (deleted)
/usr/lib/dns/libisc.so.15 (deleted)
/usr/lib/dns/libisc.so.15.0.2 (deleted)
/usr/lib/dns/libisc.so.50
/usr/lib/dns/libisc.so.50.1.1 (deleted)
/usr/lib/dns/libisc.so.50.3.1 (deleted)
/usr/lib/dns/libisc.so.50.4.1
/usr/lib/dns/libisccc.so
/usr/lib/dns/libisccc.so.0 (deleted)
/usr/lib/dns/libisccc.so.0.2.3 (deleted)
/usr/lib/dns/libisccc.so.50
/usr/lib/dns/libisccc.so.50.0.0 (deleted)
/usr/lib/dns/libisccc.so.50.0.1
/usr/lib/dns/libisccfg.so
/usr/lib/dns/libisccfg.so.1 (deleted)
/usr/lib/dns/libisccfg.so.1.0.10 (deleted)
/usr/lib/dns/libisccfg.so.1.0.8 (deleted)
/usr/lib/dns/libisccfg.so.50
/usr/lib/dns/libisccfg.so.50.0.0 (deleted)
/usr/lib/dns/libisccfg.so.50.0.1 (deleted)
/usr/lib/dns/libisccfg.so.50.0.3
/usr/lib/dns/liblwres.so
/usr/lib/dns/liblwres.so.50
/usr/lib/dns/liblwres.so.50.0.2 (deleted)
/usr/lib/dns/liblwres.so.50.0.3
/usr/lib/dns/liblwres.so.9 (deleted)
/usr/lib/dns/liblwres.so.9.2.0 (deleted)
/usr/lib/dns/man/man1m/dig.1m
/usr/lib/dns/man/man1m/dnssec-dsfromkey.1m
/usr/lib/dns/man/man1m/dnssec-keyfromlabel.1m
/usr/lib/dns/man/man1m/dnssec-keygen.1m
/usr/lib/dns/man/man1m/dnssec-signzone.1m
/usr/lib/dns/man/man1m/host.1m
/usr/lib/dns/man/man1m/named-checkconf.1m
/usr/lib/dns/man/man1m/named-checkzone.1m
/usr/lib/dns/man/man1m/named.1m
/usr/lib/dns/man/man1m/nslookup.1m
/usr/lib/dns/man/man1m/nsupdate.1m
/usr/lib/dns/man/man1m/rndc-confgen.1m
/usr/lib/dns/man/man1m/rndc.1m
/usr/lib/dns/man/man4/named.conf.4
/usr/lib/dns/man/man4/rndc.conf.4
/usr/lib/dns/migration.txt
/usr/lib/dns/named
/usr/lib/dns/named-checkconf
/usr/lib/dns/named-checkzone
/usr/lib/dns/nslookup
/usr/lib/dns/nsupdate
/usr/lib/dns/rndc
/usr/lib/dns/rndc-confgen
/usr/lib/inet/dhcp/nsu/rfc2136.so.1
/usr/lib/inet/in.dhcpd
/usr/lib/libresolv.so.2
/usr/lib/llib-lresolv
/usr/lib/llib-lresolv.ln
/usr/sbin/dig
/usr/sbin/dnskeygen
/usr/sbin/in.named
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nsupdate

Problem Description:

7054901 problem with DNS
7060712 problem with DNS
 
(from 114265-22)
 
7032027 BIND validation issues with initial .com DNSSEC records
7049040 problem with DNS
 
(from 114265-21)
 
6370597 in.dhcpd core dumps: double free on a DHCP network container record
6959836 DHCP server should set file limit even in debug mode
7002134 BIND 9.6-ESV-R3
7007643 BIND: named and associated tools try to load libraries from internal path
 
(from 114265-20)
 
6821966 ISC Security patch for BIND users of DLV
6902912 DNS Cache Poisoning
6916058 BIND 9.6.1-P3
 
(from 114265-19)
 
6865903 CVE-2009-0696 BIND dynamic update problem
 
(from 114265-18)
 
5085675 libresolv2 can cause apps to core in addrsort()
 
(from 114265-17)
 
6807730 patches 112837-17/114265-16 missed delivery of requested deletes
6752428 named source port used is the same as snmpdx
 
(from 114265-16)
 
6726921 BIND 9.3.5-P1 breaks DNS (too many open file descriptors)
6728975 fix for 6702096 causes named ( 9.3.5.P1 ) to use high CPU usage
6791029 update BIND to version 9.3.6-P1
 
(from 114265-15)
 
6573010 DHCP server fails to lock newly created client record
6619398 [CVE-2007-5365] potential buffer overflow due to crafted requests
6713805 DHCP server should not care about the number of offers
 
(from 114265-14)
 
6702096 BIND cache poisoning vulnerability CERT VU#800113
 
(from 114265-13)
 
6596938 BIND 8 generates cryptographically weak DNS query IDs
 
(from 114265-12)
 
6580417 Solaris 9 libresolv patches and DHCP patches are hard-dependent on each other
 
(from 114265-11)
 
6340650 in.dhcpd: must initialize statp structure before calling res_ninit()
6487719 libdhcpdu: must initialize statp structure before calling res_ninit()
 
(from 114265-10)
 
6418659 DHCP server provides bad address 0.0.0.0
6428870 in.dhcpd incorrectly reports 'Invalid value for option: LOGGING_FACILITY'
 
(from 114265-09)
 
5074510 in.dhcpd dumps core in dhcp_offer
 
(from 114265-08)
 
4840208 secondary assigning addresses owned by primary
4944796 fixes for 4840208, 4872379 removed part of fix for 4678758 due to mismerge
6220012 PXE boot does not work / in.dhcpd unicasts to wrong IP address
 
(from 114265-07)
 
4932150 DHCP DDNS updates fail because defunct records aren't deleted
 
(from 114265-06)
 
5086331 DHCP server doesn't reply to DHCPREQUEST, appears to treat as expired offer
 
(from 114265-05)
 
5098448 dhcpd offers duplicate IP-address in case of delayed releases
 
(from 114265-04)
 
        Patch respun to explicitly require patch 115698-02.
 
(from 114265-03)
 
4981080 in.dhcpd does not DNS dynamic update if the DHCP client is WindowsNT4,98,95
 
(from 114265-02)
 
4678758 DHCP server complains unnecessarily when responding to DHCPINFORM clients
 
(from 114265-01)
 
4721862 in.dhcpd on multi-interface machine sometimes answers on wrong interface
 
(from 114354-11)
 
6248700 (rework) memory leak in libresolv
6337595 core dump - res_nsend() always assumes statp->_u._ext.ext not being NULL
 
(from 114354-10)
 
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
 
(from 114354-09)
 
6248700 memory leak in libresolv
 
(from 114354-08)
 
6315143 named could make unnecessary queries for glue if additional section was full
 
(from 114354-07)
 
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
 
(from 114354-06)
 
4863307 nsupdate fails with more than 14 NS records for BIND 8.2.2 and 8.2.4
 
(from 114354-05)
 
4928758 Negative Cache Poison Attack
 
(from 114354-04)
 
4874895 S9 x86 patches for 4353836 need to be respun with correct dependencies
 
(from 114354-03)
 
4353836 if more than 255 file descriptors are already open then gethostbyname fails
 
(from 114354-02)
 
4793327 BIND needs to be upgraded to BIND 8.3 to support IPv6
4796596 BIND 8.3.3 server handling of TSIG HMAC-MD5 broken
4805812 in.named version needs to reflect putback of BIND 8.3.3
4810893 UNIX98: *netdb.h* VSU test fails due to violation of X/Open namespace
 
(from 114354-01)
 
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1: To get the complete fix for BugId's 4353836 (if more than 255 file
        descriptors are open then gethostbyname fails) and 4874895 (S9 x86
        patches for 4353836 need to be respun with correct dependencies),
        please also install the following patches:
 
        115546-02 (or greater)  nss_files patch
        115551-02 (or greater)  nss_user patch
        115543-02 (or greater)  nss_compat.so.1 patch
 
NOTE 2: Although this patch encodes specifications that it should be
        applied in single-user mode and a configuration reboot (boot -r)
        done immediately after it is applied, careful analysis indicates
        this is overcautious and it should be sufficient to either reboot
        the system after patch installation OR to restart services*.
 
        This patch may be activated without a reboot by restarting the
        DHCP server, BIND server, NSCD server manually when convenient.
 
        Until the services are restarted they will continue to run the
        older version and may be vulnerable to any issues the patch
        addresses.
 
        * Additionally, applications using DNS library libresolv.so.2
          should be restarted.  if in doubt a reboot is the only
          recommended course of action.
 
        Restarting DHCP service:
        ------------------------
 
        Example A. Restarting DHCP service (in.dhcpd) after patch has
        been installed:
 
        # cd /etc/init.d
        # sh ./dhcp stop
        # sh ./dhcp start
 
        Restarting BIND (DNS) service:
        ------------------------------
 
        By default named is started by /etc/init.d/inetsvc only when
        /etc/named.conf exists.
 
        The BIND server /usr/lib/dns/named should be used and not the
        deprecated /usr/sbin/in.named, see NOTE 3 below.
 
        In example B. the inetsvc file is searched using grep to
        verify its been updated to invoke the BIND9 server and to
        extract any command line options. Command pkill is used to
        stop either the older BIND 8 server "in.named" or the BIND 9
        server "named".  The service is then started with options as
        used in the modified inetsvc file.
 
        Example B. Restarting BIND service:
 
        # grep dns/named /etc/init.d/inetsvc
                /usr/lib/dns/named -4 &
        # pkill '^in.named$' || pkill '^named$'
        # /usr/lib/dns/named -4
 
	Restarting Name Service Cache daemon (NSCD)
	-------------------------------------------
 
	NSCD restart only required if 'dns' is listed for host name
        lookup in /etc/nsswitch.conf.  Example C shows shows a test
        for the 'dns' setting and how to restart nscd(1m).  As
        mentioned above other applications may use DNS resolver
        functions directly and so a reboot may be the only way to
        certify all the changes are being used by all processes.
 
        Example C. Checking for DNS use and restarting nscd:
 
	# test -f /etc/resolv.conf && echo 'DNS configured'
        DNS configured
        # egrep -s '^(hosts|ipnodes):.*dns' /etc/nsswitch.conf &&
        >  echo 'Name Service configured to use DNS'
	Name Service configured to use DNS
        # cd /etc/init.d
        # sh ./nscd stop
        # sh ./nscd start
 
NOTE 3: Administrators MUST migrate their recursive BIND servers from
        BIND 8 to BIND 9 to get relief for CR 6702096 (CERT VU#800113)
        and subsequent vulnerabilities.
 
        /usr/lib/dns/named must be used in place of /usr/sbin/in.named
        The installation of this patch alone without migration offers
        no protection from the security vulnerabilities which are
        resolved by using BIND 9.  For further information regarding
        the security implications of running BIND 8 please refer to
        SunAlert 240048 (previously 239392):
        http://download.oracle.com/sunalerts/1019479.1.html
 
        BIND 9 is provided in /usr/lib/dns by patch on the Solaris 9 Operating
        Environment to enable customers to migrate from the older and insecure
        version of BIND 8 provided in /usr/sbin/in.named.
 
        For further details refer to the instructions in
        /usr/lib/dns/migration.txt and the additional notes below.
 
NOTE 4: BIND configuration change for "query-source":
 
        Due to the security vulnerability documented in Sun-Alert 239392
        the named configuration file, /etc/named.conf, MUST NOT include
        "query-source" or "query-source-v6" statements.
 
NOTE 5: BIND chroot environment device requirements:
 
        A chroot(2) environment for named requires several devices; at time
        of writing these include /dev/null, /dev/poll, /dev/random and
        /dev/tty as observed in the following output:
 
        $ strings /usr/lib/dns/named /usr/lib/dns/lib*.so | \
          awk '/^\/dev\//{print $1}' | sort -u
        /dev/null
        /dev/poll
        /dev/random
        /dev/tty
        $
 
        To create missing chroot devices within a chroot directory simply
        replicate the root devices nodes using mknod(1m), for example:
 
        Example 1.  Create poll device within chroot directory
                    /var/named/dev with same properties as root (/)
                    device using mknod(1M):
 
        # ls -lL /dev/poll
        crw-rw-rw-   1 root    sys     138,  0 Jan 19 16:55 /dev/poll
        # cd /var/named/dev
        # ls
        null    random
        # mknod poll c 138 0
        # chmod 666 poll
        # ls -ld /var/named/dev/poll
        crw-rw-rw-   1 root    root    138,  0 Mar  3 15:33 /var/named/dev/poll
        #
 
NOTE 6: BIND configuration changes for recursive servers on non-local networks:
 
        This patch will significantly restrict those servers that were
        previously recursive servers for more than "localhost;
        localnets;" unless configuration changes are made.
 
        Prior to the release of BIND 9.4.1-P1, the default action of
        "allow-recursion" and "allow-query-cache" was to permit the
        query. Subsequently there are two changes in this behaviour:
 
        1) If not explicitly set, the Access Control Lists (ACLs) for
           "allow-query-cache" and "allow-recursion" are set to
           "localnets; localhost;".
 
        2) If either "allow-query-cache" or "allow-recursion" is set,
           the other is set to the same value.
 
        To retain the prior behaviour the configuration as provided in
        example 2 could be deployed in named.conf.  However this is
        only suggested for use while a proper configuration is sort as
        outlined below. It is not advised as clients spoofing queries
        can use your servers to launch distributed denial-of-service
        attacks.
 
        Example 2. Temporary configuration of query responses
                   to retain previous functionality (not-recommended):
 
        options {
           ...
           allow-recursion { any; };
           allow-query { any; };
           allow-query-cache { any; };
           ...
        };
 
        The *recommended* configuration is to create ACLs that match
        hosts and or networks that should be allowed access to cache
        and recursion on the servers:
 
        Example 3. Recommended configuration of query responses using ACLs:
 
        acl "trusted" {
           192.168.0.0/16;
           10.153.154.0/24;
           localhost;
           localnets;
        };
 
        options {
           ...
           allow-query { any; };
           allow-recursion { trusted; };
           allow-query-cache { trusted; };
           ...
        };
 
        The ACL above called "trusted" includes 192.168.0.0/16 and
        10.153.154.0/24 as sample networks that would require
        access. You must replace these sample networks with networks
        that correctly reflect your environment. This will allow
        anyone to query your server for authoritative data, but only
        those hosts within the "trusted" ACL access to your cache and
        recursion.


README -- Last modified date: Friday, November 9, 2012