summaryrefslogtreecommitdiffstats
path: root/doc/notes
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/notes/notes-9.18.1.rst8
-rw-r--r--doc/notes/notes-9.18.11.rst6
-rw-r--r--doc/notes/notes-9.18.16.rst4
-rw-r--r--doc/notes/notes-9.18.19.rst4
-rw-r--r--doc/notes/notes-9.18.20.rst44
-rw-r--r--doc/notes/notes-9.18.21.rst31
-rw-r--r--doc/notes/notes-9.18.22.rst19
-rw-r--r--doc/notes/notes-9.18.23.rst20
-rw-r--r--doc/notes/notes-9.18.24.rst65
-rw-r--r--doc/notes/notes-9.18.3.rst2
-rw-r--r--doc/notes/notes-9.18.7.rst10
11 files changed, 196 insertions, 17 deletions
diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst
index f76369b..f0cfe77 100644
--- a/doc/notes/notes-9.18.1.rst
+++ b/doc/notes/notes-9.18.1.rst
@@ -17,7 +17,7 @@ Security Fixes
- The rules for acceptance of records into the cache have been tightened
to prevent the possibility of poisoning if forwarders send records
- outside the configured bailiwick. (CVE-2021-25220)
+ outside the configured bailiwick. :cve:`2021-25220`
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
@@ -26,18 +26,18 @@ Security Fixes
- TCP connections with :any:`keep-response-order` enabled could leave the
TCP sockets in the ``CLOSE_WAIT`` state when the client did not
- properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+ properly shut down the connection. :cve:`2022-0396` :gl:`#3112`
- Lookups involving a DNAME could trigger an assertion failure when
:any:`synth-from-dnssec` was enabled (which is the default).
- (CVE-2022-0635)
+ :cve:`2022-0635`
ISC would like to thank Vincent Levigneron from AFNIC for bringing
this vulnerability to our attention. :gl:`#3158`
- When chasing DS records, a timed-out or artificially delayed fetch
could cause ``named`` to crash while resuming a DS lookup.
- (CVE-2022-0667) :gl:`#3129`
+ :cve:`2022-0667` :gl:`#3129`
Feature Changes
~~~~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst
index 3e44dc2..77ee344 100644
--- a/doc/notes/notes-9.18.11.rst
+++ b/doc/notes/notes-9.18.11.rst
@@ -19,14 +19,14 @@ Security Fixes
available memory. This flaw was addressed by adding a new
:any:`update-quota` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
- queue at any given time (default: 100). (CVE-2022-3094)
+ queue at any given time (default: 100). :cve:`2022-3094`
ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. :gl:`#3523`
- :iscman:`named` could crash with an assertion failure when an RRSIG
query was received and :any:`stale-answer-client-timeout` was set to a
- non-zero value. This has been fixed. (CVE-2022-3736)
+ non-zero value. This has been fixed. :cve:`2022-3736`
ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
@@ -36,7 +36,7 @@ Security Fixes
:any:`stale-answer-client-timeout` option set to any value greater
than ``0`` could crash with an assertion failure, when the
:any:`recursive-clients` soft quota was reached. This has been fixed.
- (CVE-2022-3924)
+ :cve:`2022-3924`
ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. :gl:`#3619`
diff --git a/doc/notes/notes-9.18.16.rst b/doc/notes/notes-9.18.16.rst
index 9ed090c..d1350c1 100644
--- a/doc/notes/notes-9.18.16.rst
+++ b/doc/notes/notes-9.18.16.rst
@@ -17,7 +17,7 @@ Security Fixes
- The overmem cleaning process has been improved, to prevent the cache from
significantly exceeding the configured :any:`max-cache-size` limit.
- (CVE-2023-2828)
+ :cve:`2023-2828`
ISC would like to thank Shoham Danino from Reichman University, Anat
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University,
@@ -27,7 +27,7 @@ Security Fixes
- A query that prioritizes stale data over lookup triggers a fetch to refresh
the stale data in cache. If the fetch is aborted for exceeding the recursion
quota, it was possible for :iscman:`named` to enter an infinite callback
- loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911)
+ loop and crash due to stack overflow. This has been fixed. :cve:`2023-2911`
:gl:`#4089`
New Features
diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst
index 3d3c513..9c3ebd8 100644
--- a/doc/notes/notes-9.18.19.rst
+++ b/doc/notes/notes-9.18.19.rst
@@ -18,7 +18,7 @@ Security Fixes
- Previously, sending a specially crafted message over the control
channel could cause the packet-parsing code to run out of available
stack memory, causing :iscman:`named` to terminate unexpectedly.
- This has been fixed. (CVE-2023-3341)
+ This has been fixed. :cve:`2023-3341`
ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
bringing this vulnerability to our attention. :gl:`#4152`
@@ -26,7 +26,7 @@ Security Fixes
- A flaw in the networking code handling DNS-over-TLS queries could
cause :iscman:`named` to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has been
- fixed. (CVE-2023-4236)
+ fixed. :cve:`2023-4236`
ISC would like to thank Robert Story from USC/ISI Root Server
Operations for bringing this vulnerability to our attention.
diff --git a/doc/notes/notes-9.18.20.rst b/doc/notes/notes-9.18.20.rst
new file mode 100644
index 0000000..a1c24f5
--- /dev/null
+++ b/doc/notes/notes-9.18.20.rst
@@ -0,0 +1,44 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.20
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The IP addresses for B.ROOT-SERVERS.NET have been updated to
+ 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101`
+
+Bug Fixes
+~~~~~~~~~
+
+- If the unsigned version of an inline-signed zone contained DNSSEC
+ records, it was incorrectly scheduled for resigning. This has been
+ fixed. :gl:`#4350`
+
+- Looking up stale data from the cache did not take local authoritative
+ data into account. This has been fixed. :gl:`#4355`
+
+- An assertion failure was triggered when :any:`lock-file` was used at
+ the same time as the :option:`named -X` command-line option. This has
+ been fixed. :gl:`#4386`
+
+- The :any:`lock-file` file was being removed when it should not have
+ been, making the statement ineffective when :iscman:`named` was
+ started three or more times. This has been fixed. :gl:`#4387`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.21.rst b/doc/notes/notes-9.18.21.rst
new file mode 100644
index 0000000..12876d8
--- /dev/null
+++ b/doc/notes/notes-9.18.21.rst
@@ -0,0 +1,31 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.21
+----------------------
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
+ aes;``) has been deprecated and will be removed in a future release.
+ Please use the current default, SipHash-2-4, instead. :gl:`#4421`
+
+- The :any:`resolver-nonbackoff-tries` and :any:`resolver-retry-interval`
+ statements have been deprecated. Using them now causes a warning to be
+ logged. :gl:`#4405`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.22.rst b/doc/notes/notes-9.18.22.rst
new file mode 100644
index 0000000..77f374c
--- /dev/null
+++ b/doc/notes/notes-9.18.22.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.22
+----------------------
+
+.. note::
+
+ The BIND 9.18.22 release was withdrawn after the discovery of a
+ regression in a security fix in it during pre-release testing. ISC
+ would like to acknowledge the assistance of Curtis Tuplin of SaskTel.
diff --git a/doc/notes/notes-9.18.23.rst b/doc/notes/notes-9.18.23.rst
new file mode 100644
index 0000000..7f95b80
--- /dev/null
+++ b/doc/notes/notes-9.18.23.rst
@@ -0,0 +1,20 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.23
+----------------------
+
+.. note::
+
+ The BIND 9.18.23 release was withdrawn after the discovery of a
+ regression in a security fix in it during pre-release testing. ISC
+ would like to acknowledge the assistance of Vinzenz Vogel and Daniel
+ Stirnimann of SWITCH.
diff --git a/doc/notes/notes-9.18.24.rst b/doc/notes/notes-9.18.24.rst
new file mode 100644
index 0000000..3e3f1c2
--- /dev/null
+++ b/doc/notes/notes-9.18.24.rst
@@ -0,0 +1,65 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.24
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Validating DNS messages containing a lot of DNSSEC signatures could
+ cause excessive CPU load, leading to a denial-of-service condition.
+ This has been fixed. :cve:`2023-50387`
+
+ ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
+ and Michael Waidner from the German National Research Center for
+ Applied Cybersecurity ATHENE for bringing this vulnerability to our
+ attention. :gl:`#4424`
+
+- Preparing an NSEC3 closest encloser proof could cause excessive CPU
+ load, leading to a denial-of-service condition. This has been fixed.
+ :cve:`2023-50868` :gl:`#4459`
+
+- Parsing DNS messages with many different names could cause excessive
+ CPU load. This has been fixed. :cve:`2023-4408`
+
+ ISC would like to thank Shoham Danino from Reichman University, Anat
+ Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
+ University, and Yuval Shavitt from Tel-Aviv University for bringing
+ this vulnerability to our attention. :gl:`#4234`
+
+- Specific queries could cause :iscman:`named` to crash with an
+ assertion failure when :any:`nxdomain-redirect` was enabled. This has
+ been fixed. :cve:`2023-5517` :gl:`#4281`
+
+- A bad interaction between DNS64 and serve-stale could cause
+ :iscman:`named` to crash with an assertion failure, when both of these
+ features were enabled. This has been fixed. :cve:`2023-5679`
+ :gl:`#4334`
+
+- Under certain circumstances, the DNS-over-TLS client code incorrectly
+ attempted to process more than one DNS message at a time, which could
+ cause :iscman:`named` to crash with an assertion failure. This has
+ been fixed. :gl:`#4487`
+
+Bug Fixes
+~~~~~~~~~
+
+- The counters exported via the statistics channel were changed back to
+ 64-bit signed values; they were being inadvertently truncated to
+ unsigned 32-bit values since BIND 9.15.0. :gl:`#4467`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst
index 09952c9..8ed2be6 100644
--- a/doc/notes/notes-9.18.3.rst
+++ b/doc/notes/notes-9.18.3.rst
@@ -20,7 +20,7 @@ Security Fixes
DNS-over-HTTPS (DoH) clients. This has been fixed.
ISC would like to thank Thomas Amgarten from arcade solutions ag for
- bringing this vulnerability to our attention. (CVE-2022-1183)
+ bringing this vulnerability to our attention. :cve:`2022-1183`
:gl:`#3216`
Known Issues
diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst
index dade98e..5d46acd 100644
--- a/doc/notes/notes-9.18.7.rst
+++ b/doc/notes/notes-9.18.7.rst
@@ -18,7 +18,7 @@ Security Fixes
- Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of :iscman:`named` running as a
- recursive resolver. This has been fixed. (CVE-2022-2795)
+ recursive resolver. This has been fixed. :cve:`2022-2795`
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
@@ -27,20 +27,20 @@ Security Fixes
- When an HTTP connection was reused to request statistics from the
stats channel, the content length of successive responses could grow
in size past the end of the allocated buffer. This has been fixed.
- (CVE-2022-2881) :gl:`#3493`
+ :cve:`2022-2881` :gl:`#3493`
- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
could be externally triggered, when using TKEY records in DH mode with
- OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491`
+ OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491`
- :iscman:`named` running as a resolver with the
:any:`stale-answer-client-timeout` option set to ``0`` could crash
with an assertion failure, when there was a stale CNAME in the cache
- for the incoming query. This has been fixed. (CVE-2022-3080)
+ for the incoming query. This has been fixed. :cve:`2022-3080`
:gl:`#3517`
- Memory leaks were fixed that could be externally triggered in the
- DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+ DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178`
:gl:`#3487`
Feature Changes
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-28 19:53:36 +0000