Issued:

2015-07-22

Updated:

2015-07-22

RHBA-2015:1259 - bind-dyndb-ldap bug fix update

Synopsis

bind-dyndb-ldap bug fix update

Type/Severity

Bug Fix Advisory None

Topic

Updated bind-dyndb-ldap packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

Description

The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities for LDAP databases. It features support for dynamic updates and internal caching that helps to reduce the load on LDAP servers.

This update fixes the following bugs:

• Previously, the bind-dyndb-ldap 2.x driver (used in Red Hat Enterprise Linux 6.x) did not handle forward zones correctly when it was in the same replication topology as bind-dyndb-ldap 6.x (used in Red Hat Enterprise Linux 7.1). As a consequence, forward zones stopped working on all replicas. The underlying source code has been patched to fix this bug, and forward zones now continue to work in the described situation. (BZ#1175318)

• The bind-dyndb-ldap library incorrectly compared current time and the expiration time of the Kerberos ticket used for authentication to an LDAP server. As a consequence, the Kerberos ticket was not renewed under certain circumstances, which caused the connection to the LDAP server to fail. The connection failure often happened after a BIND service reload was triggered by the logrotate utility. A patch has been applied to fix this bug, and Kerberos tickets are correctly renewed in this scenario. (BZ#1142176)

• Prior to this update, the bind-dyndb-ldap plug-in incorrectly locked certain data structures. Consequently, a race condition during forwarder address reconfiguration could cause BIND to terminate unexpectedly. This bug has been fixed, bind-dyndb-ldap now locks data structures properly, and BIND no longer crashes in this scenario. (BZ#1126841)

• Previously, the bind-dyndb-ldap plug-in incorrectly handled timeouts which occurred during LDAP operations. As a consequence, under very specific circumstances, the BIND daemon could terminate unexpectedly. With this update, bind-dyndb-ldap has been fixed to correctly handle timeouts during LDAP operations and the BIND daemon no longer crashes in this scenario. (BZ#1219568)

• The documentation for bind-dyndb-ldap-2.3 located in the /usr/share/doc/bind-dyndb-ldap-2.3/README file incorrectly stated that the "idnsAllowTransfer" and "idnsAllowQuery" LDAP attributes are multi-valued. Consequently, users were not able to configure DNS zone transfer and query acess control lists according to the documentation. The documentation has been fixed to explain the correct attribute syntax. (BZ#1183805)

Users of bind-dyndb-ldap are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Updated Packages

• bind-dyndb-ldap-debuginfo-2.3-8.el6.ppc64.rpm
• bind-dyndb-ldap-2.3-8.el6.x86_64.rpm
• bind-dyndb-ldap-debuginfo-2.3-8.el6.x86_64.rpm
• bind-dyndb-ldap-debuginfo-2.3-8.el6.s390x.rpm
• bind-dyndb-ldap-2.3-8.el6.s390x.rpm
• bind-dyndb-ldap-2.3-8.el6.src.rpm
• bind-dyndb-ldap-2.3-8.el6.i686.rpm
• bind-dyndb-ldap-2.3-8.el6.ppc64.rpm
• bind-dyndb-ldap-debuginfo-2.3-8.el6.i686.rpm

Fixes

• This content is not included.BZ - 1126841
• This content is not included.BZ - 1142176
• This content is not included.BZ - 1175318
• This content is not included.BZ - 1183805
• This content is not included.BZ - 1219568

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.