Obsoleted by: 109327-24 SunOS 5.8_x86: libresolv.so.2, in.named and BIND9 patch |
Disclaimer:
Please note:
Although OBSOLETED patches are available on SunSolve, Sun recommends using the most recent patches and the most recent revision of those patches. OBSOLETED patches do not include the latest bug fixes and/or product enhancements, and may require the installation of additional patches as a corrective measure.
Status: OBSOLETE
Patch Id: 109327-23
***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************Summary: Obsoleted by: 109327-24 SunOS 5.8_x86: libresolv.so.2, in.named and BIND9 patch
Date: Aug/08/2008
Installation Requirements:
See Special Install Instructions
After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.Solaris Release: 8_x86
Sun OS Release: 5.8_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 109326
Topic:
SunOS 5.8_x86: libresolv.so.2, in.named and BIND9 patch
NOTE: Refer to Special Install Instructions section for
IMPORTANT specific information on this patch.Relevant Architecture: i386
BugId's fixed with this patch:
4136555 4253123 4284409 4300887 4324375 4349983 4353836 4365909 4409676 4444745 4451645 4471907 4491688 4500573 4500613 4525129 4617431 4646349 4700305 4708913 4777715 4863307 4879704 4879822 4928758 4933407 4941011 4984937 6179099 6205056 6300853 6391459 6527020 6596938 6702096
Changes incorporated in this version:
6702096
Patches accumulated and obsoleted by this patch:
110515-01
Patches which conflict with this patch:
Required Patches:
108994-27 112439-02 (or greater)
Obsoleted by:
Files Included in this Patch:
/usr/include/arpa/nameser.h
/usr/include/arpa/nameser_compat.h
/usr/include/netdb.h
/usr/include/resolv.h
/usr/lib/abi/abi_libresolv.so.2
/usr/lib/dns/cylink.so.1
/usr/lib/dns/dig
/usr/lib/dns/dnssafe.so.1
/usr/lib/dns/host
/usr/lib/dns/irs.so.1
/usr/lib/dns/libbind9.so
/usr/lib/dns/libbind9.so.0
/usr/lib/dns/libbind9.so.0.0.10
/usr/lib/dns/libdns.so
/usr/lib/dns/libdns.so.25
/usr/lib/dns/libdns.so.25.0.0
/usr/lib/dns/libisc.so
/usr/lib/dns/libisc.so.11
/usr/lib/dns/libisc.so.11.1.3
/usr/lib/dns/libisccc.so
/usr/lib/dns/libisccc.so.0
/usr/lib/dns/libisccc.so.0.2.3
/usr/lib/dns/libisccfg.so
/usr/lib/dns/libisccfg.so.1
/usr/lib/dns/libisccfg.so.1.0.8
/usr/lib/dns/liblwres.so
/usr/lib/dns/liblwres.so.9
/usr/lib/dns/liblwres.so.9.2.0
/usr/lib/dns/man/man1m/named-checkconf.1m
/usr/lib/dns/man/man1m/named-checkzone.1m
/usr/lib/dns/man/man1m/named.1m
/usr/lib/dns/man/man1m/nsupdate.1m
/usr/lib/dns/man/man1m/rndc-confgen.1m
/usr/lib/dns/man/man1m/rndc.1m
/usr/lib/dns/migration.txt
/usr/lib/dns/named
/usr/lib/dns/named-checkconf
/usr/lib/dns/named-checkzone
/usr/lib/dns/nslookup
/usr/lib/dns/nsupdate
/usr/lib/dns/rndc
/usr/lib/dns/rndc-confgen
/usr/lib/libresolv.so.2
/usr/lib/llib-lresolv
/usr/lib/llib-lresolv.ln
/usr/lib/nss_dns.so.1
/usr/sbin/dnskeygen
/usr/sbin/in.named
/usr/sbin/named-bootconf
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nstest
/usr/sbin/nsupdate
Problem Description:
6702096 BIND cache poisoning vulnerability CERT VU#800113
(from 109327-22)
4984937 BIND 8.2.4 in.named hangs with message db_freedata: DB_F_ACTIVE set
(from 109327-21)
4491688 inet_network has some sloppy code and needs to be cleaned up
(from 109327-20)
6596938 BIND 8 generates cryptographically weak DNS query IDs
(from 109327-19)
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
(from 109327-18)
6391459 ip6.int will be deprecated soon, switch to ip6.arpa
6179099 dnskeygen creates incompatible key file name for nsupdate
(from 109327-17)
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
(from 109327-16)
4879822 in.named core dumps, Solaris 8, Bind v. 8.2.2-P5
4471907 libresolv doesn't init in an ipv6 only environment
4500613 res_npquery (3RESOLV) not available in libresolv.so.2
4617431 mozilla dumps core when using post-4525129 libresolv2
4941011 nslookup 'view' command fails with 'sed: command garbled'
(from 109327-15)
4863307 nsupdate fails with more than 14 NS records for Bind 8.2.2 and 8.2.4
4933407 resolvers do not follow referrals
(from 109327-14)
4879704 ndc can't switch off tracing with notrace when in.named is under heavy load
(from 109327-13)
4928758 Negative Cache Poison Attack
(from 109327-12)
Respin only due to bad patching of 108994-27 through 108994-30.
(from 109327-11)
4353836 if more than 255 file descriptors are already open then gethostbyname fails
(from 109327-10)
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances
(from 109327-09)
4708913 CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
(from 109327-08)
4525129 DNS over TCP can induce gethostbyX(3NSL) meltdown
4646349 libresolv.so.2 leaks memory in multithreaded programs
(from 109327-07)
4500573 multithreaded applications block in DNS Name Service switch backend
(from 109327-06)
4451645 Clearcase 4.0 will not work with Solaris 8 4/2001
(from 109327-05)
4324375 rsh to machine with two interfaces on same subnet has problems with firewall
(from 109327-04)
4444745 DNS / BIND 8.2.2p5 in.named core during port scan
(from 109327-03)
4409676 CERT Advisory CA-2001-02/Solaris DNS (bind)
(from 109327-02)
This revision accumulates feature point patch 110515-01.
(from 109327-01)
4284409 libresolv does not protect itself from Netscape provided poll routine
(from 110515-01)
4349983 event library expects file modes to apply to AF_UNIX sockets
4365909 in.named crashed and burned in db_freedata
4300887 Solaris in.named compile omits CAN_CHANGE_ID/HAVE_CHROOT
4136555 sccs keyword expansion gives bad VER in in.named Makefile.com
4253123 nslookup displays truncated data if DNS entry has more than 5 long TXT recordsRevision History:
109327-21 109327-10 109327-15 109327-19 109327-04 109327-08 109327-20 109327-16 109327-05 109327-09 109327-01 109327-12 109327-17 109327-06 109327-02 109327-13 109327-11 109327-22 109327-07 109327-18 109327-14
Patch Installation Instructions:
--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions. The following example
installs a patch to a standalone machine:
example# patchadd /var/spool/patch/104945-02
The following example removes a patch from a standalone system:
example# patchrm 104945-02
For additional examples please see the appropriate man pages.Special Install Instructions:
-----------------------------
NOTE 1: To get the complete fix for 4324375 (rsh to machine with
two interfaces on same subnet has problems with firewall),
please also install the following patches:
111328-02 (or greater) /usr/lib/libsocket.so.1 patch
108986-03 (or greater) /usr/sbin/in.rshd patch
NOTE 2: To get complete fix for bug 4491688 (inet_network has some sloppy code
and needs to be cleaned up) please also install the following patch:
111328-05 (or greater) libsocket patch
NOTE 3: Administrators MUST migrate their recursive BIND servers from BIND 8
to BIND 9 to get relief for CR 6702096 (CERT VU#800113). That is to
say /usr/lib/dns/named must be used in place of /usr/sbin/in.named as
detailed below. The installation of this patch alone without migration
offers no protection from the security vulnerabilities which are
resolved by using BIND 9. For further information regarding the
security implications of running BIND 8 please refer to SunAlert 240048
(previously 239392):
http://sunsolve.sun.com/search/document.do?assetkey=1-66-240048-1
BIND 9 is provided in /usr/lib/dns by patch on the Solaris 8 Operating
Environment to enable customers to migrate from the older and insecure
version of BIND 8 provided in /usr/sbin/in.named.
+------------------------------------------------------------------------+
| NOTE: at this time we are aware of two issues which may occur |
| following the installation of this patch: |
| |
| 6728975 Fix for 6702096 causes named (9.3.5.P1) to use high CPU usage. |
| 6726921 Bind 9.3.5-P1 breaks dns (too many open file descriptors) |
| |
| The version of BIND 9.3.5-P1 has been compiled with FD_SETSIZE set |
| to 8192 to prevent 6726921 from occurring, if your BIND server does |
| still experience 6726921 then please let us know. |
| |
| The issues documented above will be addressed in a later version of |
| BIND. |
| |
+------------------------------------------------------------------------+
README -- Last modified date: Monday, March 9, 2009
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
