Disclaimer: 

Please note: Although OBSOLETED patches are available on SunSolve, Sun recommends using the most recent patches and the most recent revision of those patches. OBSOLETED patches do not include the latest bug fixes and/or product enhancements, and may require the installation of additional patches as a corrective measure.

Status: OBSOLETE

Patch Id: 114265-15

***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************

Summary: Obsoleted by: 114265-16 SunOS 5.9_x86: in.dhcpd libresolv and BIND9 patch

Date:  Nov/06/2008

Installation Requirements:

See Special Install Instructions                      
                      Perform a reconfigure reboot after installing this patch to activate the changes delivered.  An alternative may be specified in the Special Install Instructions.                      
                      Use Single User Mode (run level S) when installing this patch on an active boot environment.  An alternative may be specified in the Special Install Instructions.

Solaris Release: 9_x86

Sun OS Release: 5.9_x86

Unbundled Product: 

Unbundled Release: 

Xref: This patch available for SPARC as patch 112837

Topic: 

SunOS 5.9_x86: in.dhcpd libresolv and BIND9 patch

Relevant Architecture: i386

BugId's fixed with this patch:

4353836 4678758 4700305 4721862 4777715 4793327 4796596 4805812 4810893 4840208 4863307 4874895 4928758 4932150 4944796 4981080 5074510 5086331 5098448 6205056 6220012 6248700 6300853 6315143 6337595 6340650 6418659 6428870 6487719 6527020 6573010 6580417 6596938 6619398 6702096 6713805

Changes incorporated in this version:

6573010 6619398 6713805

Patches accumulated and obsoleted by this patch:

114354-11

Patches which conflict with this patch: 

Required Patches:

113719-06 115698-02 (or greater)

Obsoleted by:

Files Included in this Patch: 

/usr/include/arpa/nameser.h
/usr/include/arpa/nameser_compat.h
/usr/include/netdb.h
/usr/include/resolv.h
/usr/lib/abi/abi_libresolv.so.2
/usr/lib/dns/cylink.so.1
/usr/lib/dns/dig
/usr/lib/dns/dnssafe.so.1
/usr/lib/dns/dnssec-keygen
/usr/lib/dns/dnssec-signzone
/usr/lib/dns/host
/usr/lib/dns/irs.so.1
/usr/lib/dns/libbind9.so
/usr/lib/dns/libbind9.so.0
/usr/lib/dns/libbind9.so.0.0.10
/usr/lib/dns/libdns.so
/usr/lib/dns/libdns.so.25
/usr/lib/dns/libdns.so.25.0.0
/usr/lib/dns/libisc.so
/usr/lib/dns/libisc.so.11
/usr/lib/dns/libisc.so.11.1.3
/usr/lib/dns/libisccc.so
/usr/lib/dns/libisccc.so.0
/usr/lib/dns/libisccc.so.0.2.3
/usr/lib/dns/libisccfg.so
/usr/lib/dns/libisccfg.so.1
/usr/lib/dns/libisccfg.so.1.0.8
/usr/lib/dns/liblwres.so
/usr/lib/dns/liblwres.so.9
/usr/lib/dns/liblwres.so.9.2.0
/usr/lib/dns/man/man1m/dnssec-keygen.1m
/usr/lib/dns/man/man1m/dnssec-signzone.1m
/usr/lib/dns/man/man1m/named-checkconf.1m
/usr/lib/dns/man/man1m/named-checkzone.1m
/usr/lib/dns/man/man1m/named.1m
/usr/lib/dns/man/man1m/nsupdate.1m
/usr/lib/dns/man/man1m/rndc-confgen.1m
/usr/lib/dns/man/man1m/rndc.1m
/usr/lib/dns/migration.txt
/usr/lib/dns/named
/usr/lib/dns/named-checkconf
/usr/lib/dns/named-checkzone
/usr/lib/dns/nslookup
/usr/lib/dns/nsupdate
/usr/lib/dns/rndc
/usr/lib/dns/rndc-confgen
/usr/lib/inet/dhcp/nsu/rfc2136.so.1
/usr/lib/inet/in.dhcpd
/usr/lib/libresolv.so.2
/usr/lib/llib-lresolv
/usr/lib/llib-lresolv.ln
/usr/sbin/dig
/usr/sbin/dnskeygen
/usr/sbin/in.named
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nsupdate

Problem Description: 

6573010 DHCP server fails to lock newly created client record
6619398 [CVE-2007-5365] potential buffer overflow due to crafted requests
6713805 DHCP server should not care about the number of offers
 
(from 114265-14)
 
6702096 BIND cache poisoning vulnerability CERT VU#800113
 
(from 114265-13)
 
6596938 BIND 8 generates cryptographically weak DNS query IDs
 
(from 114265-12)
 
6580417 Solaris 9 libresolv patches and DHCP patches are hard-dependent on each other
 
(from 114265-11)
 
6340650 in.dhcpd: must initialize statp structure before calling res_ninit()
6487719 libdhcpdu: must initialize statp structure before calling res_ninit()
 
(from 114265-10)
 
6418659 DHCP server provides bad address 0.0.0.0
6428870 in.dhcpd incorrectly reports 'Invalid value for option: LOGGING_FACILITY'
 
(from 114265-09)
 
5074510 in.dhcpd dumps core in dhcp_offer
 
(from 114265-08)
 
4840208 secondary assigning addresses owned by primary
4944796 fixes for 4840208, 4872379 removed part of fix for 4678758 due to mismerge
6220012 PXE boot does not work / in.dhcpd unicasts to wrong IP address
 
(from 114265-07)
 
4932150 DHCP DDNS updates fail because defunct records aren't deleted
 
(from 114265-06)
 
5086331 DHCP server doesn't reply to DHCPREQUEST, appears to treat as expired offer
 
(from 114265-05)
 
5098448 dhcpd offers duplicate IP-address in case of delayed releases
 
(from 114265-04)
 
        Patch respun to explicitly require patch 115698-02.
 
(from 114265-03)
 
4981080 in.dhcpd does not DNS dynamic update if the DHCP client is WindowsNT4,98,95
 
(from 114265-02)
 
4678758 DHCP server complains unnecessarily when responding to DHCPINFORM clients
 
(from 114265-01)
 
4721862 in.dhcpd on multi-interface machine sometimes answers on wrong interface
 
(from 114354-11)
 
6248700 (rework) memory leak in libresolv
6337595 core dump - res_nsend() always assumes statp->_u._ext.ext not being NULL
 
(from 114354-10)
 
6300853 libresolv net_data_init should not increment once until it is done initializing
6527020 libresolv does not handle mutexes correctly
 
(from 114354-09)
 
6248700 memory leak in libresolv
 
(from 114354-08)
 
6315143 named could make unnecessary queries for glue if additional section was full
 
(from 114354-07)
 
6205056 res_nint should return true when last interface has only 1 IP address and is deprecated
 
(from 114354-06)
 
4863307 nsupdate fails with more than 14 NS records for Bind 8.2.2 and 8.2.4
 
(from 114354-05)
 
4928758 Negative Cache Poison Attack
 
(from 114354-04)
 
4874895 S9 x86 patches for 4353836 needs to be respun with correct dependencies
 
(from 114354-03)
 
4353836 if more than 255 file descriptors are already open then gethostbyname fails
 
(from 114354-02)
 
4793327 BIND needs to be upgraded to BIND 8.3 to support IPv6
4796596 BIND 8.3.3 server handling of TSIG HMAC-MD5 broken
4805812 in.named version needs to reflect putback of BIND 8.3.3
4810893 UNIX98: *netdb.h* VSU test fails due to violation of X/Open namespace
 
(from 114354-01)
 
4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31
4700305 nslookup does not follow its 'srchlist' under some circumstances

Revision History: 

114265-07 114354-11 114265-02 114265-06 114265-14 114265-13 114265-05 114265-04 114265-10 114265-08 114265-12 114265-09 114265-11

Patch Installation Instructions: 

--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
        example# patchadd 114265-15
 
The following example removes a patch from a standalone system:
 
        example# patchrm 114265-15
 
For additional examples please see the appropriate man pages. Any other
special or non-generic installation instructions should be described
below as special instructions.

Special Install Instructions: 

-----------------------------
 
NOTE  1: To get the complete fix for bugids 4353836 (if more than 255 file
         descriptors are open then gethostbyname fails) and 4874895 (S9 x86
         patches for 4353836 need to be respun with correct dependencies),
         please also install the following patches:
 
         115546-02 (or greater)  nss_files patch
         115551-02 (or greater)  nss_user patch
         115543-02 (or greater)  nss_compat.so.1 patch
 
NOTE  2: Administrators MUST migrate their recursive BIND servers from BIND 8
	 to BIND 9 to get relief for CR 6702096 (CERT VU#800113).  That is to
	 say /usr/lib/dns/named must be used in place of /usr/sbin/in.named as
	 detailed below.  The installation of this patch alone without
	 migration offers no protection from the security vulnerabilities which
	 are resolved by using BIND 9.  For further information regarding the
	 security implications of running BIND 8 please refer to SunAlert
	 240048 (previously 239392):
	 http://sunsolve.sun.com/search/document.do?assetkey=1-66-240048-1
 
	 BIND 9 is provided in /usr/lib/dns by patch on the Solaris 8 Operating
	 Environment to enable customers to migrate from the older and insecure
	 version of BIND 8 provided in /usr/sbin/in.named.
 
      +------------------------------------------------------------------------+
      |   NOTE: at this time we are aware of two issues which may occur        |
      |         following the installation of this patch:                      |
      |                                                                        |
      | 6728975 Fix for 6702096 causes named (9.3.5.P1) to use high CPU usage. |
      | 6726921 Bind 9.3.5-P1 breaks dns (too many open file descriptors)      |
      |                                                                        |
      | The version of BIND 9.3.5-P1 has been compiled with FD_SETSIZE set     |
      | to 8192 to prevent 6726921 from occurring,  if your BIND server does   |
      | still experience 6726921 then please let us know.                      |
      |                                                                        |
      | The issues documented above will be addressed in a later version of    |
      | BIND.                                                                  |
      +------------------------------------------------------------------------+

README -- Last modified date:  Monday, March 9, 2009