Issued:

2015-07-22

Updated:

2015-07-22

RHBA-2015:1250 - bind bug fix and enhancement update

Synopsis

bind bug fix and enhancement update

Type/Severity

Bug Fix Advisory None

Topic

Updated bind packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.

Description

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, a resolver library (routines for applications to use when interfacing with DNS), and tools for verifying that the DNS server is operating correctly.

This update fixes the following bugs:

• Previously, the "slip" option was not handled correctly in the Response Rate Limiting (RRL) code in BIND, and the variable counting the number of queries was not reset after each query, but after every other query. As a consequence, when the "slip" value of the RRL feature was set to one, instead of slipping every query, every other query was dropped. To fix this bug, the RRL code has been amended to reset the variable correctly according to the configuration. Now, when the "slip" value of the RRL feature is set to one, every query is slipped as expected. (BZ#1112356)

• BIND incorrectly handled errors returned by dynamic databases (from dyndbAPI). Consequently, BIND could enter a deadlock situation on shutdown under certain circumstances. The dyndb API has been fixed not to cause a deadlock during BIND shutdown after the dynamic database returns an error, and BIND now shuts down normally in the described situation. (BZ#1142152)

• Because the Simplified Database Backend (SDB) application interface did not handle unexpected SDB database driver errors properly, BIND used with SDB could terminate unexpectedly when such errors occurred. With this update, the SDB application interface has been cleaned to handle these errors correctly, and BIND used with SDB no longer crashes if they happen. (BZ#1146893)

• Due to a race condition in the beginexclusive() function, the BIND DNS server (named) could terminate unexpectedly while loading configuration. To fix this bug, a patch has been applied, and the race condition no longer occurs. (BZ#1175321)

• Previously, when the resolver was under heavy load, some clients could receive a SERVFAIL response from the server and numerous "out of memory/success" log messages in BIND's log. Also, cached records with low TTL (1) could expire prematurely. Internal hardcoded limits in the resolver have been increased, and conditions for expiring cached records with low TTL (1) have been made stricter. This prevents the resolver from reaching the limits when under heavy load, and the "out of memory/success" log messages from being received. Cached records with low TTL (1) no longer expire prematurely. (BZ#1215687)

In addition, this update adds the following enhancement:

• Users can now use RPZ-NSIP and RPZ-NSDNAME records with Response Policy Zone (RPZ) in the BIND configuration. (BZ#1176476)

Users of BIND are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. After installing the update, the BIND daemon (named) will be restarted automatically.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Updated Packages

• bind-devel-9.8.2-0.37.rc1.el6.s390x.rpm
• bind-devel-9.8.2-0.37.rc1.el6.s390.rpm
• bind-9.8.2-0.37.rc1.el6.s390x.rpm
• bind-utils-9.8.2-0.37.rc1.el6.s390x.rpm
• bind-devel-9.8.2-0.37.rc1.el6.i686.rpm
• bind-sdb-9.8.2-0.37.rc1.el6.x86_64.rpm
• bind-libs-9.8.2-0.37.rc1.el6.s390.rpm
• bind-libs-9.8.2-0.37.rc1.el6.x86_64.rpm
• bind-9.8.2-0.37.rc1.el6.src.rpm
• bind-debuginfo-9.8.2-0.37.rc1.el6.ppc.rpm
• bind-sdb-9.8.2-0.37.rc1.el6.ppc64.rpm
• bind-9.8.2-0.37.rc1.el6.x86_64.rpm
• bind-debuginfo-9.8.2-0.37.rc1.el6.x86_64.rpm
• bind-debuginfo-9.8.2-0.37.rc1.el6.ppc64.rpm
• bind-libs-9.8.2-0.37.rc1.el6.ppc64.rpm
• bind-libs-9.8.2-0.37.rc1.el6.ppc.rpm
• bind-utils-9.8.2-0.37.rc1.el6.x86_64.rpm
• bind-chroot-9.8.2-0.37.rc1.el6.i686.rpm
• bind-devel-9.8.2-0.37.rc1.el6.x86_64.rpm
• bind-debuginfo-9.8.2-0.37.rc1.el6.s390.rpm
• bind-utils-9.8.2-0.37.rc1.el6.ppc64.rpm
• bind-libs-9.8.2-0.37.rc1.el6.s390x.rpm
• bind-9.8.2-0.37.rc1.el6.ppc64.rpm
• bind-sdb-9.8.2-0.37.rc1.el6.s390x.rpm
• bind-chroot-9.8.2-0.37.rc1.el6.x86_64.rpm
• bind-chroot-9.8.2-0.37.rc1.el6.s390x.rpm
• bind-debuginfo-9.8.2-0.37.rc1.el6.i686.rpm
• bind-9.8.2-0.37.rc1.el6.i686.rpm
• bind-sdb-9.8.2-0.37.rc1.el6.i686.rpm
• bind-devel-9.8.2-0.37.rc1.el6.ppc.rpm
• bind-chroot-9.8.2-0.37.rc1.el6.ppc64.rpm
• bind-libs-9.8.2-0.37.rc1.el6.i686.rpm
• bind-utils-9.8.2-0.37.rc1.el6.i686.rpm
• bind-devel-9.8.2-0.37.rc1.el6.ppc64.rpm
• bind-debuginfo-9.8.2-0.37.rc1.el6.s390x.rpm

Fixes

• This content is not included.BZ - 1142152
• This content is not included.BZ - 1175321

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.