bind-dyndb-ldap-1.1.0-0.9.b1.0.2.AXS4

エラータID: AXSA:2012-800:03

Release date: 
Monday, August 20, 2012 - 13:51
Subject: 
bind-dyndb-ldap-1.1.0-0.9.b1.0.2.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server.

Security issues fixed with this release;

• CVE-2012-2134
No description available at the time of writing, please use the CVE links below.

Bug Fixes

• Improved the parsing of Resource Records (RR). If a RR is invalid, the bind-dyndb-ldap plug-in logs a "Failed to parse RR entry" error message and the rest of the zone continues to load as expected.

• The bind-dyndb-ldap plugin tried only once to connect to an LDAP server. If it failed, it did not try again and users had to run "rndc reload" to make the plugin work again. This has been fixed, the plugin retries periodically until it succeeds and user intervention is not necessary.

• After the zone_refresh period timed out and despite the zone being removed from the LDAP server, the plug-in would still serve the zone. This has been fixed.

• The plugin could sometimes make the named daemon crashed. This has been fixed.

• If the named daemon momentarily lost connection to an LDAP server, and if some zones previously present had been removed from the server during the time named was not connected, the plug-in would crash. This has been fixed.

• Fixed some string lengths that resulted in the Start of Authority (SOA) serial number and expiry time being incorrectly set during the ipa-server installation. This has been fixed.

• It now escapes special characters DNS names in queries correctly.

• Fixed the delegation of A or AAAA glue records in the “additional section” of a DNS answer: delegated zones are correctly resolvable.

Enhancements

• Added idnsAllowQuery and idnsAllowTransfer, two new attributes used to set ACLs for queries or transfers.

• Added idnsForwarders and idnsForwardPolicy, two new attributes used to configure forwarding.

• Added support for zone transfers.

• Added "sync_ptr", a new option used to keep A and AAAA records and their PTR records synchronized.

• Previously, the plug-in configuration was taken from the named.conf file. Now it is also available from idnsConfigObject in LDAP, which has a higher priority than named.conf, although this will change in the future.

Solution: 

Update packages.

CVEs: 
CVE-2012-2134
The handle_connection_error function in ldap_helper.c in bind-dyndb-ldap before 1.1.0rc1 does not properly handle LDAP query errors, which allows remote attackers to cause a denial of service (infinite loop and named server hang) via a non-alphabet character in the base DN in an LDAP search DNS query.


Additional Info: 

N/A

Download: 

SRPMS
  1. bind-dyndb-ldap-1.1.0-0.9.b1.0.2.AXS4.src.rpm
    MD5: 4f3533107bd8ed6d5f5c9a18522ac993
    SHA-256: e2812d0c8a5392363da210b9b01c9bdab11c54f2a637465d51b87b69e89f1c79
    Size: 306.15 kB

Asianux Server 4 for x86
  1. bind-dyndb-ldap-1.1.0-0.9.b1.0.2.AXS4.i686.rpm
    MD5: d922166e10a490ceab4f22400394154d
    SHA-256: 910d2bc94fc2de0e47e1b88b451dc9d7bcb79f4121380e0c858c00f703a8eaa1
    Size: 62.13 kB

Asianux Server 4 for x86_64
  1. bind-dyndb-ldap-1.1.0-0.9.b1.0.2.AXS4.x86_64.rpm
    MD5: f06a55a9bb68ba325df81bc3636d3b72
    SHA-256: 992f12049f4064f620f533feb0ff209b67823dfd1ba1337165e49f13ed9f5d11
    Size: 62.28 kB