Question & Answer
Question
DNS IBM i Recommended Fixes
Answer
Recommendations
These recommendations are based upon your system already having installed the most current Cumulative PTF Package, HIPER PTF Group, and Database PTF Group. For further information or to order these PTFs, you should follow this link:
http://www.ibm.com/support/fixcentral/
The Rochester Support Center recommends installing the group and individual fixes listed below for corrective service and preventative maintenance. If a problem persists after the recommended fixes have been installed, the Rochester Support Center can more efficiently diagnose the problem and additional fixes may be recommended.
| Date Added | Fixes | + Product PTF Group | Description |
| 12/29/2017 | SI66583 V7R1M0 SI66584 V7R2M0 SI66585 V7R3M0 | RUNDNSUPD command gets MCH4426 Escape message when run in batch job | |
| 08/16/2017 | SI65339 --- (R610) SI65338 --- (R710) SI65337 --- (R720) SI65336 --- (R730 | Marked HIPER | DNS server instance crash
CVE-2017-3143 - DESCRIPTION: ISC BIND could allow a remote attacker to bypass security restrictions, caused by an error when an attacker can send and receive messages to an authoritative DNS server and has knowledge of a valid TSIG key name. By sending specially crafted data, an attacker could exploit this vulnerability to bypass TSIG authentication and manipulate BIND into accepting an unauthorized dynamic update. |
| 05/08/2017 | SI64617 ---- (R610) SI64615 ---- (R710) SI64630 ---- (R720) SI64614 ---- (R730) | CVE: CVE-2017-3136 - A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. CVE-2017-3137 - Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. CVE-2017-3138 - named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. | |
| 03/01/2017 | SI63767 --- (R730) SI63769 --- (R720) SI63774 --- (R710) SI63775 --- (R610) | CVE-2017-3135: Combination of DNS64 and RPZ can lead to crash. CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure. CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion. | |
| 12/01/2016 | SI60804 --- (R720) SI61239 --- (R710) SI62946 --- (R610) | CVE-2016-2848: A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 and in packages derived from releases prior to that date. | |
| 12/01/2016 | SI62945 --- (R730) SI62942 --- (R720)(The two PTFs above have been listed in the page.) SI62977 --- (R710) SI63081 --- (R610) | CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure. CVE-2016-2776: Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request. CVE-2016-2775: A query name which is too long can cause a segmentation fault in lwresd. | |
| 10/25/2016 | SI6080 ----- (R720) SI61239 --- (R710) SI62946 --- (R610) | CVE-2016-2828 - ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record. PTFs upgrade BIND to 9.10.1 | |
| 10/25/2016 | SI62942, SI62945 | 5770SS1 | CVE-2016-2776: A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query'). CVE-2016-2775 : A query name which is too long can cause a segmentation fault in lwresd. |
| 05/05/2016 | SI60342 --- (R720) SI60348 --- (R710) SI60379 --- (R610) | CVE-2016-1286: A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c. CVE-2016-1285: An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c. | |
| 04/29/2016 | SI59480 --- (R730) SI59569 --- (R720) SI59570 --- (R710) SI59654 --- (R610) SI60151 --- (R540) | CVE-2015-8705: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate. (Impacted versions: R730) CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c. (Impacted versions: R540, R610, R710, R720, R730) | |
| 03/30/2016 | SI59086 --- (R730) SI59100 --- (R720) SI59101 --- (R710) | 5770SS1 | CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c. |
| 09/22/2015 | SI57893 --- (R720) | 5770SS1 | CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c. |
| 09/10/2015 | SI57655 --- (R720) SI57654 --- (R710) SI57657 --- (R610) SI57658 --- (R540) | CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure. (Impacted versions: R540, R610, R710, R720) CVE-2015-4620: Specially constructed zone data can cause a resolver to crash when validating. (Impacted versions: R710, R720) | |
| 05/20/2015 | II14787 | 5770SS1 | OSP-BIND UPDATE 9.7.4-P1 MAY REQUIRE MANUAL CONFIGURATION UPDATE TO MAINTAIN FULL CLIENT FUNCTION |
| 02/05/2015 | SI55866 --- (R720) SI55748 --- (R710) SI55895 --- (R610) | CVE-2014-8500: A defect in delegation handling can be exploited to crash BIND. | |
| 04/16/2014 | SI51568 --- (R720) | 5770SS1 | CVE-2013-4854: A specially crafted query can cause BIND to terminate abnormally. CVE-2013-2266: A maliciously Crafted regular expression can cause memory exhaustion in named CVE-2012-5166: Specially crafted DNS data can cause a lockup in named. CVE-2012-4244: A specially crafted resource record could cause named to terminate. CVE-2012-3817: Heavy DNSSEC validation load can cause a "bad cache" assertion failure. CVE-2012-1667: Handling of zero length rdata can cause named to terminate unexpectedly. |
| 04/02/2014 | SI52942 | 5770SS1 | Client sends out a AAAA IPV6 DNS query. The i5 is returned an IPV6 DNS Query response with an IPV6 address. This causes the CPE3429, for this application. |
| 03/05/2014 | SI51669 | 5770SS1 | DNS - BIND UPGRADED TO 9.7.4-P1 Fixed CVE: CVE-2014-0591 A Crafted Query Against an NSEC3-signed Zone Can Crash BIND CVE-2013-4854 A specially crafted query can cause BIND to terminate abnormally CVE-2013-3919 A recursive resolver can be crashed by a query for a malformed zone CVE-2013-2266 A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named CVE-2012-5689 BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ CVE-2012-5688 BIND 9 servers using DNS64 can be crashed by a crafted query CVE-2012-5166 Specially crafted DNS data can cause a lockup in named CVE-2012-4244 A specially crafted Resource Record could cause named to terminate CVE-2012-3868 High TCP query load can trigger a memory leak CVE-2012-3817 Heavy DNSSEC validation load can cause a "bad cache" assertion failure CVE-2012-1667 Handling of zero length rdata can cause named to terminate unexpectedly CVE-2011-4313 BIND 9 Resolver crashes after logging an error in query.c CVE-2011-2465 Remote crash with certain RPZ configurations CVE-2011-2464 remote packet denial of service against authoritative and recursive servers |
| 11/22/2013 | SI50752 | 5770SS1 | OSP-BASEDIR-INCORROUT UPDATES FOR IBM NAVIGATOR FOR I(SP9) |
| 11/22/2013 | SI50753 | 5770SS1 | OSP-BASEDIR-INCORROUT IBM NAVIGATOR FOR I(SP9) |
| 5/09/2013 | SE53772 | 5770XE1 | OSP-DNS-UNPRED INAV UPDATES CUSTOMER SOA ATTRIBUTE WITH CORRECT EMAIL CONTACT FORMAT |
Important Information
For special instructions, review the cover letter for each PTF -
[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1021191