Patch-ID# 105756-13 Keywords: security libresolv multithreaded in.named res_mkquery Synopsis: SunOS 5.6_x86: libresolv, in.named, named-xfer, nslookup, nstest patch Date: Feb/25/2003 Install Requirements: None Solaris Release: 2.6_x86 SunOS Release: 5.6_x86 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 105755 Topic: SunOS 5.6_x86: libresolv, in.named, named-xfer, nslookup, nstest patch Relevant Architectures: i386 BugId's fixed with this patch: 1266187 1266187 4056997 4056997 4068577 4068577 4071167 4071167 4089702 4089702 4118596 4118596 4127017 4127017 4127028 4127028 4133340 4133340 4133571 4133571 4134616 4134616 4168525 4168525 4169815 4169815 4252453 4252453 4264891 4264891 4409676 4409676 4525129 4525129 4646349 4646349 4700305 4700305 4708913 4708913 4777715 4777715 Changes incorporated in this version: 4700305 4777715 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/lib/libresolv.so.1 /usr/lib/libresolv.so.1 /usr/lib/libresolv.so.2 /usr/lib/libresolv.so.2 /usr/lib/llib-lresolv /usr/lib/llib-lresolv /usr/lib/llib-lresolv.ln /usr/lib/llib-lresolv.ln /usr/sbin/in.named /usr/sbin/in.named /usr/sbin/named-xfer /usr/sbin/named-xfer /usr/sbin/nslookup /usr/sbin/nslookup /usr/sbin/nstest /usr/sbin/nstest Problem Description: 4777715 Multiple Remote Vulnerabilities in BIND - CERT Advisory CA-2002-31 4700305 nslookup does not follow its 'srchlist' under some circumstances (from 105756-12) 4708913 CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries (from 105756-11) 4525129 DNS over TCP can induce gethostbyX(3NSL) meltdown 4646349 libresolv.so.2 leaks memory in multi-threaded programs (from 105756-10) 4409676 CERT Advisory CA-2001-02/Solaris dns (bind) (from 105756-09) 4169815 named-xfer segmentation fault on LOC RR 4264891 nameresolution fails after loading patch 105755-06 (from 105756-08) 4252453 libresolv doesn't handle SIG-records (from 105756-07) 4134616 in.named can hang when calling res_mkquery 4168525 libresolv fails if cname contains a '/' character (rfc 2317) (from 105756-06) 4133571 BIND has /tmp vulnerabilities 4127028 BIND does not properly bounds check memory references in server and resolver 4127017 Inverse Query in BIND can crash system or give root access to an attacker 4068577 libresolv.so.2 buffer overflow vulnerability per SNI-12 bulletin (from 105756-05) 4133340 res_send can hang in recvfrom after bogus select/poll return (from 105756-04) 4118596 in.named stops responding to users requests and uses up CPU (from 105756-03) 4056997 BIND spoofing vulnerability per SNI-12 bulletin. Also CERT CA-97.22 1266187 function declaration in netdb.h wrong for non-ansi for 4.9.3 (from 105756-02) 4089702 hostname with underscore, '_', not supported in Solaris 2.6 (from 105756-01) 4071167 libresolv.so.1 can cause threaded applications to deadlock via nss_dns.so.1 Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- Reboot the system after patch installation. README -- Last modified date: Tuesday, February 25, 2003