From 6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Fri, 25 Mar 2016 01:05:22 +0000 Subject: [PATCH] regen master --- doc/arm/Bv9ARM.ch09.html | 167 ++++++--------------------------------- doc/arm/notes.html | 167 ++++++--------------------------------- 2 files changed, 44 insertions(+), 290 deletions(-) diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 50f741ba61..3635e66aa3 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -86,138 +86,9 @@

Security Fixes

-
    -

  • - Duplicate EDNS COOKIE options in a response could trigger - an assertion failure. This flaw is disclosed in CVE-2016-2088. - [RT #41809] -

    • -

  • - Insufficient testing when parsing a message allowed - records with an incorrect class to be be accepted, - triggering a REQUIRE failure when those records - were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #40987] -

    • -

  • - Incorrect reference counting could result in an INSIST - failure if a socket error occurred while performing a - lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] -

    • -

  • - An incorrect boundary check in the OPENPGPKEY rdatatype - could trigger an assertion failure. This flaw is disclosed - in CVE-2015-5986. [RT #40286] -

    • -
  • -

    - A buffer accounting error could trigger an assertion failure - when parsing certain malformed DNSSEC keys. -

    -

    - This flaw was discovered by Hanno Böck of the Fuzzing - Project, and is disclosed in CVE-2015-5722. [RT #40212] -

    -
    • -
  • -

    - A specially crafted query could trigger an assertion failure - in message.c. -

    -

    - This flaw was discovered by Jonathan Foote, and is disclosed - in CVE-2015-5477. [RT #40046] -

    -
    • -
  • -

    - On servers configured to perform DNSSEC validation, an - assertion failure could be triggered on answers from - a specially configured server. -

    -

    - This flaw was discovered by Breno Silveira Soares, and is - disclosed in CVE-2015-4620. [RT #39795] -

    -
    • -
  • -

    - On servers configured to perform DNSSEC validation using - managed trust anchors (i.e., keys configured explicitly - via managed-keys, or implicitly - via dnssec-validation auto; or - dnssec-lookaside auto;), revoking - a trust anchor and sending a new untrusted replacement - could cause named to crash with an - assertion failure. This could occur in the event of a - botched key rollover, or potentially as a result of a - deliberate attack if the attacker was in position to - monitor the victim's DNS traffic. -

    -

    - This flaw was discovered by Jan-Piet Mens, and is - disclosed in CVE-2015-1349. [RT #38344] -

    -
    • -
  • -

    - A flaw in delegation handling could be exploited to put - named into an infinite loop, in which - each lookup of a name server triggered additional lookups - of more name servers. This has been addressed by placing - limits on the number of levels of recursion - named will allow (default 7), and - on the number of queries that it will send before - terminating a recursive query (default 50). -

    -

    - The recursion depth limit is configured via the - max-recursion-depth option, and the query limit - via the max-recursion-queries option. -

    -

    - The flaw was discovered by Florian Maury of ANSSI, and is - disclosed in CVE-2014-8500. [RT #37580] -

    -
    • -
  • -

    - Two separate problems were identified in BIND's GeoIP code that - could lead to an assertion failure. One was triggered by use of - both IPv4 and IPv6 address families, the other by referencing - a GeoIP database in named.conf which was - not installed. Both are covered by CVE-2014-8680. [RT #37672] - [RT #37679] -

    -

    - A less serious security flaw was also found in GeoIP: changes - to the geoip-directory option in - named.conf were ignored when running - rndc reconfig. In theory, this could allow - named to allow access to unintended clients. -

    -
    • -

  • - Specific APL data could trigger an INSIST. This flaw - is disclosed in CVE-2015-8704. [RT #41396] -

    • -

  • - Certain errors that could be encountered when printing out - or logging an OPT record containing a CLIENT-SUBNET option - could be mishandled, resulting in an assertion failure. - This flaw is disclosed in CVE-2015-8705. [RT #41397] -

    • -

  • - Malformed control messages can trigger assertions in named - and rndc. This flaw is disclosed in CVE-2016-1285. [RT - #41666] -

    • -

  • - The resolver could abort with an assertion failure due to - improper DNAME handling when parsing fetch reply - messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] -

    • -
+

  • + None. +

@@ -349,7 +220,7 @@ The EDNS Client Subnet (ECS) option is now supported for authoritative servers; if a query contains an ECS option then ACLs containing geoip or ecs - elements can match against the the address encoded in the option. + elements can match against the address encoded in the option. This can be used to select a view for a query, so that different answers can be provided depending on the client network.

@@ -388,7 +259,7 @@

  • dig +zflag can be used to set the last - unassigned DNS header flag bit. This bit in normally zero. + unassigned DNS header flag bit. This bit is normally zero.

  • dig +dscp=value @@ -410,8 +281,8 @@

  • named -L filename - causes named to send log messages to the specified file by - default instead of to the system log. + causes named to send log messages to the + specified file by default instead of to the system log.

  • The rate limiter configured by the @@ -531,16 +402,20 @@ may improve throughput. The default is yes.

  • - A "read-only" clause is now available for non-destructive + A read-only option is now available in the + controls statement to grant non-destructive control channel access. In such cases, a restricted set of - rndc commands are allowed for querying information from named. - By default, control channel access is read-write. + rndc commands are allowed, which can + report information from named, but cannot + reconfigure or stop the server. By default, the control channel + access is not restricted to these + read-only operations. [RT #40498]

  • - When loading managed signed zones detect if the RRSIG's - inception time is in the future and regenerate the RRSIG - immediately. This helps when the system's clock needs to - be reset backwards. + When loading a signed zone, named will + now check whether an RRSIG's inception time is in the future, + and if so, it will regenerate the RRSIG immediately. This helps + when a system's clock needs to be reset backwards.

    • @@ -554,7 +429,8 @@ now reported with millisecond accuracy. [RT #40082]

  • - Updated the compiled in addresses for H.ROOT-SERVERS.NET. + Updated the compiled-in addresses for H.ROOT-SERVERS.NET + and L.ROOT-SERVERS.NET.

  • ACLs containing geoip asnum elements were @@ -688,7 +564,8 @@ message compression. This results in reduced network usage.

  • - Added support for the type AVC. + Added support for the AVC resource record type (Application + Visibility and Control).

    • diff --git a/doc/arm/notes.html b/doc/arm/notes.html index c0fa078c8d..becec4925d 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -47,138 +47,9 @@

    Security Fixes

    -
      -

    • - Duplicate EDNS COOKIE options in a response could trigger - an assertion failure. This flaw is disclosed in CVE-2016-2088. - [RT #41809] -

      • -

    • - Insufficient testing when parsing a message allowed - records with an incorrect class to be be accepted, - triggering a REQUIRE failure when those records - were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #40987] -

      • -

    • - Incorrect reference counting could result in an INSIST - failure if a socket error occurred while performing a - lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] -

      • -

    • - An incorrect boundary check in the OPENPGPKEY rdatatype - could trigger an assertion failure. This flaw is disclosed - in CVE-2015-5986. [RT #40286] -

      • -
    • -

      - A buffer accounting error could trigger an assertion failure - when parsing certain malformed DNSSEC keys. -

      -

      - This flaw was discovered by Hanno Böck of the Fuzzing - Project, and is disclosed in CVE-2015-5722. [RT #40212] -

      -
      • -
    • -

      - A specially crafted query could trigger an assertion failure - in message.c. -

      -

      - This flaw was discovered by Jonathan Foote, and is disclosed - in CVE-2015-5477. [RT #40046] -

      -
      • -
    • -

      - On servers configured to perform DNSSEC validation, an - assertion failure could be triggered on answers from - a specially configured server. -

      -

      - This flaw was discovered by Breno Silveira Soares, and is - disclosed in CVE-2015-4620. [RT #39795] -

      -
      • -
    • -

      - On servers configured to perform DNSSEC validation using - managed trust anchors (i.e., keys configured explicitly - via managed-keys, or implicitly - via dnssec-validation auto; or - dnssec-lookaside auto;), revoking - a trust anchor and sending a new untrusted replacement - could cause named to crash with an - assertion failure. This could occur in the event of a - botched key rollover, or potentially as a result of a - deliberate attack if the attacker was in position to - monitor the victim's DNS traffic. -

      -

      - This flaw was discovered by Jan-Piet Mens, and is - disclosed in CVE-2015-1349. [RT #38344] -

      -
      • -
    • -

      - A flaw in delegation handling could be exploited to put - named into an infinite loop, in which - each lookup of a name server triggered additional lookups - of more name servers. This has been addressed by placing - limits on the number of levels of recursion - named will allow (default 7), and - on the number of queries that it will send before - terminating a recursive query (default 50). -

      -

      - The recursion depth limit is configured via the - max-recursion-depth option, and the query limit - via the max-recursion-queries option. -

      -

      - The flaw was discovered by Florian Maury of ANSSI, and is - disclosed in CVE-2014-8500. [RT #37580] -

      -
      • -
    • -

      - Two separate problems were identified in BIND's GeoIP code that - could lead to an assertion failure. One was triggered by use of - both IPv4 and IPv6 address families, the other by referencing - a GeoIP database in named.conf which was - not installed. Both are covered by CVE-2014-8680. [RT #37672] - [RT #37679] -

      -

      - A less serious security flaw was also found in GeoIP: changes - to the geoip-directory option in - named.conf were ignored when running - rndc reconfig. In theory, this could allow - named to allow access to unintended clients. -

      -
      • -

    • - Specific APL data could trigger an INSIST. This flaw - is disclosed in CVE-2015-8704. [RT #41396] -

      • -

    • - Certain errors that could be encountered when printing out - or logging an OPT record containing a CLIENT-SUBNET option - could be mishandled, resulting in an assertion failure. - This flaw is disclosed in CVE-2015-8705. [RT #41397] -

      • -

    • - Malformed control messages can trigger assertions in named - and rndc. This flaw is disclosed in CVE-2016-1285. [RT - #41666] -

      • -

    • - The resolver could abort with an assertion failure due to - improper DNAME handling when parsing fetch reply - messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] -

      • -
    +

    • + None. +

    @@ -310,7 +181,7 @@ The EDNS Client Subnet (ECS) option is now supported for authoritative servers; if a query contains an ECS option then ACLs containing geoip or ecs - elements can match against the the address encoded in the option. + elements can match against the address encoded in the option. This can be used to select a view for a query, so that different answers can be provided depending on the client network.

    @@ -349,7 +220,7 @@

  • dig +zflag can be used to set the last - unassigned DNS header flag bit. This bit in normally zero. + unassigned DNS header flag bit. This bit is normally zero.

  • dig +dscp=value @@ -371,8 +242,8 @@

  • named -L filename - causes named to send log messages to the specified file by - default instead of to the system log. + causes named to send log messages to the + specified file by default instead of to the system log.

  • The rate limiter configured by the @@ -492,16 +363,20 @@ may improve throughput. The default is yes.

  • - A "read-only" clause is now available for non-destructive + A read-only option is now available in the + controls statement to grant non-destructive control channel access. In such cases, a restricted set of - rndc commands are allowed for querying information from named. - By default, control channel access is read-write. + rndc commands are allowed, which can + report information from named, but cannot + reconfigure or stop the server. By default, the control channel + access is not restricted to these + read-only operations. [RT #40498]

  • - When loading managed signed zones detect if the RRSIG's - inception time is in the future and regenerate the RRSIG - immediately. This helps when the system's clock needs to - be reset backwards. + When loading a signed zone, named will + now check whether an RRSIG's inception time is in the future, + and if so, it will regenerate the RRSIG immediately. This helps + when a system's clock needs to be reset backwards.

    • @@ -515,7 +390,8 @@ now reported with millisecond accuracy. [RT #40082]

  • - Updated the compiled in addresses for H.ROOT-SERVERS.NET. + Updated the compiled-in addresses for H.ROOT-SERVERS.NET + and L.ROOT-SERVERS.NET.

  • ACLs containing geoip asnum elements were @@ -649,7 +525,8 @@ message compression. This results in reduced network usage.

  • - Added support for the type AVC. + Added support for the AVC resource record type (Application + Visibility and Control).