Patch-ID# 103663-12 Keywords: security DNS CERT BIND in.named named-xfer nss_dns.so.1 libresolv.so.2 Synopsis: SunOS 5.5.1: libresolv, in.named, named-xfer, nslookup & nstest patch Date: May/26/98 Solaris Release: 2.5.1 SunOS Release: 5.5.1 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 103664 Xref: This patch available for PPC as patch 103665 Topic: SunOS 5.5.1: libresolv, in.named, named-xfer, nslookup & nstest patch BugId's fixed with this patch: 1238679 1247019 1253600 1264386 1265838 1266187 4007986 4008451 4018620 4037068 4038360 4056997 4071167 4081667 4133340 Changes incorporated in this version: 4133340 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: 103683-01 Patches which conflict with this patch: iss_sparc-01 (or newer) Patches required with this patch: Obsoleted by: Files included with this patch: /usr/include/arpa/nameser.h /usr/include/netdb.h /usr/include/resolv.h /usr/lib/libresolv.so /usr/lib/libresolv.so.1 /usr/lib/libresolv.so.2 /usr/lib/nslookup.help /usr/sbin/in.named /usr/sbin/named-xfer /usr/sbin/nslookup /usr/sbin/nstest /usr/lib/nss_dns.so.1 Problem Description: 4133340 res_send can hang in recvfrom after bogus select/poll return (from 103663-11) 4056997 BIND spoofing vulnerability per SNI-12 bulletin. Also CERT CA-97.22 1266187 function declaration in netdb.h wrong for non-ansi for 4.9.3 (from 103663-10) 4071167 libresolv.so.1 can cause threaded applications to deadlock via nss_dns.so.1 (from 103663-09) 4081667 in.named 4.9.3.p1 segmentation fault ns_resp+0x40ac (servfail) (from 103663-08) 4038360 Applications linked against libresolv.so.1 and running w/ 103663-05 fail 4037068 libresolv does not reread resolv.conf (from 103663-07) This patch is recranked to workaround bug 4010430 -- installpatch should ignore a required patch when not applicable to a target system. The workaround is to include an empty root sparse patch package. This will allow patch dependency requirement to be met in a server/client configuration. (from 103663-06) 4008451 in.named should have a configurable listen(3N) backlog (from 103663-05) 4018620 DNS server cache corruption and lost of root server A records. (from 103663-04) 1265838 nslookup takes to long to fail if /etc/resolv.conf is missing (from 103663-03) 1264386 BIND 4.9.3 integration not complete 4007986 libresolv conflict for libresolv.so.1 apps using DNS via NS switch (from 103663-02) 1247019 nslookup takes 90 seconds if /etc/resolv.conf file is missing (from 103663-01) 1238679 DNS spoofing is possible per Cern ca-96.02 (from 103683-01) 1253600 nss_dns.so.1 source modification and rebuild for BIND 4.9.3 Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- Please refer to the file called BIND_493 that came with this patch. This document will describe the difference between libresolv.so.1 and libresolv.so.2 and it should provide the BIND 4.9.3 man pages. It is recommended to install the following patches: 103594-03 or newer sendmail patch 103680-01 or newer nscd/nscd_nischeck rebuild for BIND 4.9.3 103686-01 or newer rpc.nisd_resolv rebuild for BIND 4.9.3