Re: testing bind9 for Wheezy LTS
On Sat, May 20, 2017 at 04:57:52PM +0200, Thorsten Alteholz wrote:
> Hi everybody,
> I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u16 of bind9 to:
> Please give it a try and tell me about any problems you met.
I've tested the package on a nameserver authoritive for some zones also
using dnssec and on a caching configuration using IPv4 and IPv6 with no
ill effects so far.
> * Dns64 with "break-dnssec yes;" can result in a assertion failure.
> * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190.
> If not cherry-picking this change the fix for CVE-2017-3137 can cause an
> assertion failure to appear in name.c.
> * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
> assertion failures (CVE-2017-3137)
> * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries
> could trigger assertion failures. (CVE-2017-3137)
> * Fix regression introduced when handling CNAME to referral below the
> current domain
> * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138)