blob: 3d3c513fc96dac80b6f1f27eaa71946ce2ea6134 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.18.19
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Previously, sending a specially crafted message over the control
channel could cause the packet-parsing code to run out of available
stack memory, causing :iscman:`named` to terminate unexpectedly.
This has been fixed. (CVE-2023-3341)
ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
bringing this vulnerability to our attention. :gl:`#4152`
- A flaw in the networking code handling DNS-over-TLS queries could
cause :iscman:`named` to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has been
fixed. (CVE-2023-4236)
ISC would like to thank Robert Story from USC/ISI Root Server
Operations for bringing this vulnerability to our attention.
:gl:`#4242`
Removed Features
~~~~~~~~~~~~~~~~
- The :any:`dnssec-must-be-secure` option has been deprecated and will
be removed in a future release. :gl:`#4263`
Feature Changes
~~~~~~~~~~~~~~~
- If the ``server`` command is specified, :iscman:`nsupdate` now honors
the :option:`nsupdate -v` option for SOA queries by sending both the
UPDATE request and the initial query over TCP. :gl:`#1181`
Bug Fixes
~~~~~~~~~
- The value of the If-Modified-Since header in the statistics channel
was not being correctly validated for its length, potentially allowing
an authorized user to trigger a buffer overflow. Ensuring the
statistics channel is configured correctly to grant access exclusively
to authorized users is essential (see the :any:`statistics-channels`
block definition and usage section). :gl:`#4124`
This issue was reported independently by Eric Sesterhenn of X41 D-Sec
GmbH and Cameron Whitehead.
- The Content-Length header in the statistics channel was lacking proper
bounds checking. A negative or excessively large value could
potentially trigger an integer overflow and result in an assertion
failure. :gl:`#4125`
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
- Several memory leaks caused by not clearing the OpenSSL error stack
were fixed. :gl:`#4159`
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
- The introduction of ``krb5-subdomain-self-rhs`` and
``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
:iscman:`named` to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
- The :any:`stale-refresh-time` feature was mistakenly disabled when the
server cache was flushed by :option:`rndc flush`. This has been fixed.
:gl:`#4278`
- BIND's memory consumption has been improved by implementing dedicated
jemalloc memory arenas for sending buffers. This optimization ensures
that memory usage is more efficient and better manages the return of
memory pages to the operating system. :gl:`#4038`
- Previously, partial writes in the TLS DNS code were not accounted for
correctly, which could have led to DNS message corruption. This has
been fixed. :gl:`#4255`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.
|
