summaryrefslogtreecommitdiffstats
path: root/doc/notes
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/notes/notes-9.16.12.rst2
-rw-r--r--doc/notes/notes-9.16.15.rst6
-rw-r--r--doc/notes/notes-9.16.20.rst2
-rw-r--r--doc/notes/notes-9.16.22.rst2
-rw-r--r--doc/notes/notes-9.16.27.rst4
-rw-r--r--doc/notes/notes-9.16.3.rst6
-rw-r--r--doc/notes/notes-9.16.33.rst8
-rw-r--r--doc/notes/notes-9.16.37.rst6
-rw-r--r--doc/notes/notes-9.16.4.rst7
-rw-r--r--doc/notes/notes-9.16.42.rst4
-rw-r--r--doc/notes/notes-9.16.44.rst2
-rw-r--r--doc/notes/notes-9.16.45.rst26
-rw-r--r--doc/notes/notes-9.16.46.rst19
-rw-r--r--doc/notes/notes-9.16.47.rst20
-rw-r--r--doc/notes/notes-9.16.48.rst69
-rw-r--r--doc/notes/notes-9.16.6.rst13
16 files changed, 164 insertions, 32 deletions
diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst
index d236f5e..30e84cb 100644
--- a/doc/notes/notes-9.16.12.rst
+++ b/doc/notes/notes-9.16.12.rst
@@ -22,7 +22,7 @@ Security Fixes
authentication). This flaw could be exploited to crash ``named``.
Theoretically, it also enabled remote code execution, but achieving
the latter is very difficult in real-world conditions.
- (CVE-2020-8625)
+ :cve:`2020-8625`
This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
Trend Micro Zero Day Initiative. :gl:`#2354`
diff --git a/doc/notes/notes-9.16.15.rst b/doc/notes/notes-9.16.15.rst
index 0cc0f49..a4b71c3 100644
--- a/doc/notes/notes-9.16.15.rst
+++ b/doc/notes/notes-9.16.15.rst
@@ -16,14 +16,14 @@ Security Fixes
~~~~~~~~~~~~~~
- A malformed incoming IXFR transfer could trigger an assertion failure
- in ``named``, causing it to quit abnormally. (CVE-2021-25214)
+ in ``named``, causing it to quit abnormally. :cve:`2021-25214`
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. :gl:`#2467`
- ``named`` crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
- query. (CVE-2021-25215)
+ query. :cve:`2021-25215`
ISC would like to thank `Siva Kakarla`_ for bringing this
vulnerability to our attention. :gl:`#2540`
@@ -37,7 +37,7 @@ Security Fixes
GSSAPI authentication). This flaw could be exploited to crash
``named`` binaries compiled for 64-bit platforms, and could enable
remote code execution when ``named`` was compiled for 32-bit
- platforms. (CVE-2021-25216)
+ platforms. :cve:`2021-25216`
This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
Zero Day Initiative. :gl:`#2604`
diff --git a/doc/notes/notes-9.16.20.rst b/doc/notes/notes-9.16.20.rst
index b1ae9b2..1682f4b 100644
--- a/doc/notes/notes-9.16.20.rst
+++ b/doc/notes/notes-9.16.20.rst
@@ -17,7 +17,7 @@ Security Fixes
- Fixed an assertion failure that occurred in ``named`` when it
attempted to send a UDP packet that exceeded the MTU size, if
- Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
+ Response Rate Limiting (RRL) was enabled. :cve:`2021-25218` :gl:`#2856`
- ``named`` failed to check the opcode of responses when performing zone
refreshes, stub zone updates, and UPDATE forwarding. This could lead
diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst
index 3403ee6..5356099 100644
--- a/doc/notes/notes-9.16.22.rst
+++ b/doc/notes/notes-9.16.22.rst
@@ -26,7 +26,7 @@ Security Fixes
that has a negligible impact on resolver performance while also
preventing abuse. Administrators may observe more traffic towards
servers issuing certain types of broken responses than in previous
- BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
+ BIND 9 releases, depending on client query patterns. :cve:`2021-25219`
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
bringing this vulnerability to our attention. :gl:`#2899`
diff --git a/doc/notes/notes-9.16.27.rst b/doc/notes/notes-9.16.27.rst
index 842a1c4..a319f52 100644
--- a/doc/notes/notes-9.16.27.rst
+++ b/doc/notes/notes-9.16.27.rst
@@ -17,7 +17,7 @@ Security Fixes
- The rules for acceptance of records into the cache have been tightened
to prevent the possibility of poisoning if forwarders send records
- outside the configured bailiwick. (CVE-2021-25220)
+ outside the configured bailiwick. :cve:`2021-25220`
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
@@ -26,7 +26,7 @@ Security Fixes
- TCP connections with ``keep-response-order`` enabled could leave the
TCP sockets in the ``CLOSE_WAIT`` state when the client did not
- properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+ properly shut down the connection. :cve:`2022-0396` :gl:`#3112`
Feature Changes
~~~~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst
index 773bfd8..c987921 100644
--- a/doc/notes/notes-9.16.3.rst
+++ b/doc/notes/notes-9.16.3.rst
@@ -20,11 +20,11 @@ Security Fixes
request before aborting recursion has been further limited. Root and
top-level domain servers are no longer exempt from the
``max-recursion-queries`` limit. Fetches for missing name server
- address records are limited to 4 for any domain. This issue was
- disclosed in CVE-2020-8616. :gl:`#1388`
+ address records are limited to 4 for any domain. :cve:`2020-8616`
+ :gl:`#1388`
- Replaying a TSIG BADTIME response as a request could trigger an
- assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
+ assertion failure. :cve:`2020-8617` :gl:`#1703`
Known Issues
~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.33.rst b/doc/notes/notes-9.16.33.rst
index 876aab8..6e152b5 100644
--- a/doc/notes/notes-9.16.33.rst
+++ b/doc/notes/notes-9.16.33.rst
@@ -18,7 +18,7 @@ Security Fixes
- Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of :iscman:`named` running as a
- recursive resolver. This has been fixed. (CVE-2022-2795)
+ recursive resolver. This has been fixed. :cve:`2022-2795`
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
@@ -27,14 +27,14 @@ Security Fixes
- :iscman:`named` running as a resolver with the
``stale-answer-client-timeout`` option set to ``0`` could crash with
an assertion failure, when there was a stale CNAME in the cache for
- the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517`
+ the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517`
- A memory leak was fixed that could be externally triggered in the
- DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177)
+ DNSSEC verification code for the ECDSA algorithm. :cve:`2022-38177`
:gl:`#3487`
- Memory leaks were fixed that could be externally triggered in the
- DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+ DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178`
:gl:`#3487`
Feature Changes
diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst
index 9b0393c..4d24781 100644
--- a/doc/notes/notes-9.16.37.rst
+++ b/doc/notes/notes-9.16.37.rst
@@ -19,14 +19,14 @@ Security Fixes
available memory. This flaw was addressed by adding a new
``update-quota`` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
- queue at any given time (default: 100). (CVE-2022-3094)
+ queue at any given time (default: 100). :cve:`2022-3094`
ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. :gl:`#3523`
- :iscman:`named` could crash with an assertion failure when an RRSIG
query was received and ``stale-answer-client-timeout`` was set to a
- non-zero value. This has been fixed. (CVE-2022-3736)
+ non-zero value. This has been fixed. :cve:`2022-3736`
ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
@@ -36,7 +36,7 @@ Security Fixes
``stale-answer-client-timeout`` option set to any value greater than
``0`` could crash with an assertion failure, when the
``recursive-clients`` soft quota was reached. This has been fixed.
- (CVE-2022-3924)
+ :cve:`2022-3924`
ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. :gl:`#3619`
diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst
index 6dd03f6..eb8c200 100644
--- a/doc/notes/notes-9.16.4.rst
+++ b/doc/notes/notes-9.16.4.rst
@@ -16,12 +16,11 @@ Security Fixes
~~~~~~~~~~~~~~
- It was possible to trigger an assertion when attempting to fill an
- oversized TCP buffer. This was disclosed in CVE-2020-8618.
- :gl:`#1850`
+ oversized TCP buffer. :cve:`2020-8618` :gl:`#1850`
- It was possible to trigger an INSIST failure when a zone with an
- interior wildcard label was queried in a certain pattern. This was
- disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
+ interior wildcard label was queried in a certain pattern.
+ :cve:`2020-8619` :gl:`#1111` :gl:`#1718`
New Features
~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.42.rst b/doc/notes/notes-9.16.42.rst
index 85b0ede..423ddfa 100644
--- a/doc/notes/notes-9.16.42.rst
+++ b/doc/notes/notes-9.16.42.rst
@@ -17,7 +17,7 @@ Security Fixes
- The overmem cleaning process has been improved, to prevent the cache
from significantly exceeding the configured ``max-cache-size`` limit.
- (CVE-2023-2828)
+ :cve:`2023-2828`
ISC would like to thank Shoham Danino from Reichman University, Anat
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
@@ -28,7 +28,7 @@ Security Fixes
refresh the stale data in cache. If the fetch is aborted for exceeding
the recursion quota, it was possible for :iscman:`named` to enter an
infinite callback loop and crash due to stack overflow. This has been
- fixed. (CVE-2023-2911) :gl:`#4089`
+ fixed. :cve:`2023-2911` :gl:`#4089`
Bug Fixes
~~~~~~~~~
diff --git a/doc/notes/notes-9.16.44.rst b/doc/notes/notes-9.16.44.rst
index 81c157a..b43db5a 100644
--- a/doc/notes/notes-9.16.44.rst
+++ b/doc/notes/notes-9.16.44.rst
@@ -18,7 +18,7 @@ Security Fixes
- Previously, sending a specially crafted message over the control
channel could cause the packet-parsing code to run out of available
stack memory, causing :iscman:`named` to terminate unexpectedly.
- This has been fixed. (CVE-2023-3341)
+ This has been fixed. :cve:`2023-3341`
ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
bringing this vulnerability to our attention. :gl:`#4152`
diff --git a/doc/notes/notes-9.16.45.rst b/doc/notes/notes-9.16.45.rst
new file mode 100644
index 0000000..4f83e56
--- /dev/null
+++ b/doc/notes/notes-9.16.45.rst
@@ -0,0 +1,26 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.45
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The IP addresses for B.ROOT-SERVERS.NET have been updated to
+ 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.46.rst b/doc/notes/notes-9.16.46.rst
new file mode 100644
index 0000000..b0af65a
--- /dev/null
+++ b/doc/notes/notes-9.16.46.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.46
+----------------------
+
+.. note::
+
+ The BIND 9.16.46 release was withdrawn after the discovery of a
+ regression in a security fix in it during pre-release testing. ISC
+ would like to acknowledge the assistance of Curtis Tuplin of SaskTel.
diff --git a/doc/notes/notes-9.16.47.rst b/doc/notes/notes-9.16.47.rst
new file mode 100644
index 0000000..bf39c3d
--- /dev/null
+++ b/doc/notes/notes-9.16.47.rst
@@ -0,0 +1,20 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.47
+----------------------
+
+.. note::
+
+ The BIND 9.16.47 release was withdrawn after the discovery of a
+ regression in a security fix in it during pre-release testing. ISC
+ would like to acknowledge the assistance of Vinzenz Vogel and Daniel
+ Stirnimann of SWITCH.
diff --git a/doc/notes/notes-9.16.48.rst b/doc/notes/notes-9.16.48.rst
new file mode 100644
index 0000000..917e551
--- /dev/null
+++ b/doc/notes/notes-9.16.48.rst
@@ -0,0 +1,69 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.48
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Validating DNS messages containing a lot of DNSSEC signatures could
+ cause excessive CPU load, leading to a denial-of-service condition.
+ This has been fixed. :cve:`2023-50387`
+
+ ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
+ and Michael Waidner from the German National Research Center for
+ Applied Cybersecurity ATHENE for bringing this vulnerability to our
+ attention. :gl:`#4424`
+
+- Preparing an NSEC3 closest encloser proof could cause excessive CPU
+ load, leading to a denial-of-service condition. This has been fixed.
+ :cve:`2023-50868` :gl:`#4459`
+
+- Parsing DNS messages with many different names could cause excessive
+ CPU load. This has been fixed. :cve:`2023-4408`
+
+ ISC would like to thank Shoham Danino from Reichman University, Anat
+ Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
+ University, and Yuval Shavitt from Tel-Aviv University for bringing
+ this vulnerability to our attention. :gl:`#4234`
+
+- Specific queries could cause :iscman:`named` to crash with an
+ assertion failure when ``nxdomain-redirect`` was enabled. This has
+ been fixed. :cve:`2023-5517` :gl:`#4281`
+
+- A bad interaction between DNS64 and serve-stale could cause
+ :iscman:`named` to crash with an assertion failure, when both of these
+ features were enabled. This has been fixed. :cve:`2023-5679`
+ :gl:`#4334`
+
+- Query patterns that continuously triggered cache database maintenance
+ could cause an excessive amount of memory to be allocated, exceeding
+ ``max-cache-size`` and potentially leading to all available memory on
+ the host running :iscman:`named` being exhausted. This has been fixed.
+ :cve:`2023-6516`
+
+ ISC would like to thank Infoblox for bringing this vulnerability to
+ our attention. :gl:`#4383`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
+ aes;``) has been deprecated and will be removed in a future release.
+ Please use the current default, SipHash-2-4, instead. :gl:`#4421`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.6.rst b/doc/notes/notes-9.16.6.rst
index 1357f1d..75cee14 100644
--- a/doc/notes/notes-9.16.6.rst
+++ b/doc/notes/notes-9.16.6.rst
@@ -16,7 +16,7 @@ Security Fixes
~~~~~~~~~~~~~~
- It was possible to trigger an assertion failure by sending a specially
- crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+ crafted large TCP DNS message. :cve:`2020-8620`
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
bringing this vulnerability to our attention. :gl:`#1996`
@@ -25,14 +25,13 @@ Security Fixes
query resolution scenarios where QNAME minimization and forwarding
were both enabled. To prevent such crashes, QNAME minimization is now
always disabled for a given query resolution process, if forwarders
- are used at any point. This was disclosed in CVE-2020-8621.
+ are used at any point. :cve:`2020-8621`
ISC would like to thank Joseph Gullo for bringing this vulnerability
to our attention. :gl:`#1997`
- It was possible to trigger an assertion failure when verifying the
- response to a TSIG-signed request. This was disclosed in
- CVE-2020-8622.
+ response to a TSIG-signed request. :cve:`2020-8622`
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
of Oracle for bringing this vulnerability to our attention.
@@ -40,8 +39,8 @@ Security Fixes
- When BIND 9 was compiled with native PKCS#11 support, it was possible
to trigger an assertion failure in code determining the number of bits
- in the PKCS#11 RSA public key with a specially crafted packet. This
- was disclosed in CVE-2020-8623.
+ in the PKCS#11 RSA public key with a specially crafted packet.
+ :cve:`2020-8623`
ISC would like to thank Lyu Chiy for bringing this vulnerability to
our attention. :gl:`#2037`
@@ -50,7 +49,7 @@ Security Fixes
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
to update names outside of the specified subdomains. The problem was
fixed by making sure ``subdomain`` rules are again processed as
- described in the ARM. This was disclosed in CVE-2020-8624.
+ described in the ARM. :cve:`2020-8624`
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
vulnerability to our attention. :gl:`#2055`