Fedora 20: knot Security Update

    Date18 Apr 2015
    CategoryFedora
    223
    Posted ByLinuxSecurity Advisories
    new upstream release
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2015-5812
    2015-04-09 04:56:35
    --------------------------------------------------------------------------------
    
    Name        : knot
    Product     : Fedora 20
    Version     : 1.6.3
    Release     : 1.fc20
    URL         : http://www.knot-dns.cz
    Summary     : An authoritative DNS daemon
    Description :
    Knot DNS is a high-performance authoritative DNS server implementation.
    
    --------------------------------------------------------------------------------
    Update Information:
    
    new upstream release
    --------------------------------------------------------------------------------
    ChangeLog:
    
    * Wed Apr  8 2015 Jan Vcelak  1.6.3-1
    - new upstream release:
      + fix: performance drop for NSEC-signed zones
      + fix: proper handling of TCP short-writes
      + fix: possible out-of-bound reads in zone parser and packet parser
      + feature: CDS and CDNSKEY support in zone parser
      + improvement: add defaults for TCP config options into documentation
      + improvement: detailed error message if zone reload fails
    * Thu Feb 19 2015 Jan Vcelak  1.6.2-1
    - new upstream release:
      + new config option 'max-tcp-clients'
      + fix possible resource leak when terminating inactive TCP clients
    * Tue Jan 20 2015 Jan Vcelak  1.6.1-3
    - service file changes:
      + remove dependency on network.target
      + remove bounding capabilities (breaks reload)
    * Sat Dec 13 2014 Jan Vcelak  1.6.1-2
    - new upstream release:
      + DNSSEC: support for Single-Type Signing Scheme
      + fix: journal file growing over configured limit
    - service file changes:
      + run as 'knot' user and group
      + set security bounding capabilities
      + change Type to 'notify'
    * Thu Oct 30 2014 Jan Vcelak  1.6.0-2
    - default config: run server as unprivileged user
    - service file: remove useless startup dependencies
    - service file: add bounding capabilities
    * Thu Oct 23 2014 Jan Vcelak  1.6.0-1
    - new upstream release:
      + support for persistent zone timers (expire, refresh, and flush)
      + DNSSEC: RFC-compliant processing of letter case in RDATA domain names
      + EDNS: return minimal response for queries with unsupported version
      + EDNS: fix interpretation of Extended RCODE
      + transfers: fix forced zone retransfer
      + timers: properly expire zone when transfer is being refused by master
    * Mon Sep 15 2014 Jan Vcelak  1.5.3-1
    - new upstream release:
      + fix crash on specific incoming IXFR message
      + fix rare synchronization error during server reload
      + fix crash in reverse record synthesis module on DNSSEC signed zones
      + fix message ID and opcode for AXFR-style IXFR responses
      + fix sending of large responses to remote control commands
    * Mon Sep  8 2014 Jan Vcelak  1.5.2-1
    - new upstream release:
      + CVE-2014-0486: remote crash using crafted DNS message
      + transfers: do not refuse AXFR answers to IXFR queries
      + fix storing of hash character '#' in zone file
    * Tue Aug 19 2014 Jan Vcelak  1.5.1-1
    - new upstream release:
      + logging: unified logging messages
      + logging: support for systemd journal
      + DDNS: processing updates in bulk
      + DDNS: fix signing of responses with TSIG
      + DDNS: fix prerequisites checking in apex node
      + DNSSEC: fix domain names conversion to canonical format before signing
      + DNSSEC: semantic checks for signing keys
      + EDNS: fix inclusion of OPT record into some packets
      + knsupdate: fix use of zone origin for deletions
    * Sun Aug 17 2014 Fedora Release Engineering  - 1.5.0-2
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
    * Thu Jul 10 2014 Jan Vcelak  1.5.0-1
    - update to 1.5.0
      + reimplemented DDNS forwarding
      + transfer sizes logged in bytes
      + logging of outgoing/incoming NOTIFY messages
      + zone flush planning after bootstrap
      + DDNS signing changes freeing
      + knotc key handling
    - update to 1.5.0-rc2
      + edns-client-subnet support in kdig
      + optional asynchronous startup (config 'asynchronous-start')
      + preempt task queue for faster reload
      + lazy zone file write after zone transfer (config 'zonefile-sync')
      + close zone transfer after SERVFAIL response
      + incremental to full zone transfer fallback, wrong log message
      + zone events corner cases, reload replanning
    - update to 1.5.0-rc1
      + Pluggable query processing modules
      + Synthetic IPv4/IPv6 reverse/forward records (optional module)
      + Dnstap support in both utilities & server (optional module)
      + NOTIFY message support and new TSIG section in kdig
      + Multi-master support
      + Query processing and core functionality overhaul
      + Performance and reduced memory footprint
      + Faster zone events scheduling
      + RFC compliant queries/responses in some corner cases
      + Log messages
      + New documentation (Sphinx)
    - enabled dynamic linking
    - removed info pages
    * Wed Jun 18 2014 Jan Vcelak  1.4.7-1
    - update to 1.4.7
      + Fixed DDNS corner cases
      + Fixed zone EXPIRE timer
      + Fixed semantic checks false positives
      + Fixed sending malformed IXFR with automatic DNSSEC
      + Fixed NAPTR record serialization
    * Thu May 22 2014 Jan Vcelak  1.4.6-2
    - update to 1.4.6
      + DNSSEC: fix possible signing loop when doing key rollover
      + RRL: fixed sending of malformed UDP empty responses
    * Mon Apr 14 2014 Jan Vcelak  1.4.5-1
    - update to 1.4.5
      + fix weakness in TSIG digest checking
    * Thu Mar 27 2014 Jan Vcelak  1.4.4-1
    - update to 1.4.4
      + server is logging remote control commands
      + 'knotc reload' doesn't refresh unchanged zones
      + 'knotc -f refresh' forces zone retransfer
      + missing notifications after DDNS/automatic resign
      + zone is rebootstrapped if the zone file is unreadable
      + progressive bootstrap retry backoff
      + zone file parser allows asterisk as part of the label
      + journal maximum entry size fixes
      + sign DNSKEYs in non-apex nodes as regular RR sets
      + various spelling and typo fixes
    * Tue Feb 18 2014 Jan Vcelak  1.4.3-1
    - update to 1.4.3
      + DNSSEC: fixes in authenticated denial proofs
      + zone parser: case insensitive comparison of $ORIGIN
      + journal: fix corruption if zone loading fails
      + config: add support for includes of directories
    * Wed Feb 12 2014 Jan Vcelak  1.4.2-3
    - rebuild with new userspace-rcu
    * Mon Jan 27 2014 Jan Vcelak  1.4.2-2
    - enable IDN support in domain names
    * Mon Jan 27 2014 Jan Vcelak  1.4.2-1
    - update to 1.4.2
    * Mon Jan 13 2014 Jan Vcelak  1.4.1-1
    - update to 1.4.1
    * Mon Jan  6 2014 Jan Vcelak  1.4.0-1
    - update to 1.4.0
    * Fri Dec 13 2013 Jan Vcelak  1.4.0-0.2.rc2
    - update to 1.4.0-rc2
    * Tue Nov 26 2013 Jan Vcelak  1.4.0-0.1.rc1
    - update to 1.4.0-rc1
    --------------------------------------------------------------------------------
    
    This update can be installed with the "yum" update program.  Use
    su -c 'yum update knot' at the command line.
    For more information, refer to "Managing Software with yum",
    available at http://docs.fedoraproject.org/yum/.
    
    All packages are signed with the Fedora Project GPG key.  More details on the
    GPG keys used by the Fedora Project can be found at
    https://fedoraproject.org/keys
    --------------------------------------------------------------------------------
    _______________________________________________
    package-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://admin.fedoraproject.org/mailman/listinfo/package-announce
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":50,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.1,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"28","type":"x","order":"3","pct":35.9,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.