BIND 9.4.3 Beta 2 is now available.

BIND 9.4.3b2 is a beta maintenance release of BIND 9.4.

URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
URGENT URGENT
URGENT Please read security alert below! URGENT
URGENT URGENT
URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT

BIND 9.4.3b2 contains the following security fixes:

2375. [security] Fully randomize UDP query ports to improve
forgery resilience. [RT #17949]

2384. [security] Additional support for query port randomization (change
#2375) including performance improvement and port range
specification. [RT #17949, #18098]

Thanks to recent work by Dan Kaminsky of IOActive, ISC has become
aware of a potential attack exploiting weaknesses in the DNS protocol
itself to enable the poisoning of caching recurive resolvers with
spoofed data.

For additional information about this vulnerability, see US-CERT
(CERT VU#800113 DNS Cache Poisoning Issue). For more details on
changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php.

IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.

DNSSEC is the only definitive solution for this issue. Understanding
that immediate DNSSEC deployment is not a realistic expectation, ISC
is releasing patched versions of BIND that improve its resilience
against this attack. The method used makes it harder to spoof answers
to a resolver by expanding the range of UDP ports from which queries
are sent by the nameserver, thereby increasing the variability of
parameters in outgoing queries.

BIND 9.4.3b2 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.4.3b2/bind-9.4.3b2.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.4.3b2/...3b2.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.3b2/....gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3b2/....gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows 2000, Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4.3b2/BIND9.4.3b2.zip
ftp://ftp.isc.org/isc/bind9/9.4.3b2/....3b2.debug.zip

The PGP signature of the binary kit for Windows 2000, Windows XP and
Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4.3b2/BIND9.4.3b2.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3b2/...zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3b2/...zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.3b2/....debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3b2/...zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3b2/...zip.sha512.asc

Changes since 9.4.3b1:

--- 9.4.3b2 released ---

2385. [bug] A condition variable in socket.c could leak in
rare error handling [RT #17968].

2384. [security] Additional support for query port randomization (change
#2375) including performance improvement and port range
specification. [RT #17949, #18098]

2383. [bug] named could double queries when they resulted in
SERVFAIL due to overkilling EDNS0 failure detection.
[RT #18182]

2382. [doc] Add descriptions of IPSECKEY, SPF and SSHFP to ARM.

2381. [port] dlz/mysql: support multiple install layouts for
mysql. /include/{,mysql/}mysql.h and
/lib/{,mysql/}. [RT #18152]

2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET
proofs which, in turn, caused validation failures
for insecure zones immediately below a secure zone
the server was authoritative for. [RT #18112]

2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
TLDs and supported RRs with TTLs [RT #17972]

2377. [bug] Address race condition in dnssec-signzone. [RT #18142]

2376. [bug] Change #2144 was not complete.

2375. [security] Fully randomize UDP query ports to improve
forgery resilience. [RT #17949]

2372. [bug] fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]

2369. [bug] libbind: Array bounds overrun on read in bitncmp().
[RT #18054]

2364. [bug] named could trigger a assertion when serving a
malformed signed zone. [RT #17828]

2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len@96;".
[RT #17513]

2361. [bug] "recursion" statistics counter could be counted
multiple times for a single query. [RT #17990]

--
Evan Hunt -- evan_hunt@isc.org
Internet Systems Consortium, Inc.