For details for 9.16.35 and 9.16.34 (we skipped the last) see:
https://downloads.isc.org/isc/bind9/9.16.35/doc/arm/html/notes.html#notes-for-bind-9-16-35
"Notes for BIND 9.16.35
Bug Fixes
A crash was fixed that happened when a dnssec-policy zone that used
NSEC3 was reconfigured to enable inline-signing. [GL #3591]
In certain resolution scenarios, quotas could be erroneously reached
for servers, including any configured forwarders, resulting in SERVFAIL
answers being sent to clients. This has been fixed. [GL #3598]
rpz-ip rules in response-policy zones could be ineffective in some
cases if a query had the CD (Checking Disabled) bit set to 1. This has
been fixed. [GL #3247]
Previously, if Internet connectivity issues were experienced during the
initial startup of named, a BIND resolver with dnssec-validation set to
auto could enter into a state where it would not recover without
stopping named, manually deleting the managed-keys.bind and
managed-keys.bind.jnl files, and starting named again. This has been
fixed. [GL #2895]
The statistics counter representing the current number of clients
awaiting recursive resolution results (RecursClients) could overflow in
certain resolution scenarios. This has been fixed. [GL #3584]
Previously, BIND failed to start on Solaris-based systems with hundreds
of CPUs. This has been fixed. [GL #3563]
When a DNS resource record’s TTL value was equal to the resolver’s
configured prefetch “eligibility” value, the record was erroneously not
treated as eligible for prefetching. This has been fixed. [GL #3603]
...
Notes for BIND 9.16.34
Bug Fixes
Changing just the TSIG key names for primaries in catalog zones’ member
zones was not effective. This has been fixed. [GL #3557]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
"Security Fixes
Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of named running as a recursive
resolver. This has been fixed. (CVE-2022-2795)
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. [GL #3394]
named running as a resolver with the stale-answer-client-timeout option
set to 0 could crash with an assertion failure, when there was a stale
CNAME in the cache for the incoming query. This has been fixed.
(CVE-2022-3080) [GL #3517]
A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
#3487]
Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
#3487]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name, to
prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]
A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the domain
to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
#3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. [GL #2982]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.32/doc/arm/html/notes.html#notes-for-bind-9-16-32
Excerpt from changelog:
"5934. [func] Improve fetches-per-zone fetch limit logging to log
the final allowed and spilled values of the fetch
counters before the counter object gets destroyed.
[GL #3461]
5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in
named on Fedorda 33, Oracle Linux 9 and RHEL9 when
they are disabled by the security policy. [GL #3469]
5932. [bug] Fix rndc dumpdb -expired and always include expired
RRsets, not just for RBTDB_VIRTUAL time window.
[GL #3462]
5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was
not fully effective; it was used for timing key
rollovers but did not actually place an upper limit
on TTLs when loading a zone. This has been
corrected, and the documentation has been clarified
to indicate that the old "max-zone-ttl" zone option
is now ignored when "dnssec-policy" is in use.
[GL #2918]
5924. [func] When it's necessary to use AXFR to respond to an
IXFR request, a message explaining the reason
is now logged at level info. [GL #2683]
5923. [bug] Fix inheritance for dnssec-policy when checking for
inline-signing. [GL #3438]
5922. [bug] Forwarding of UPDATE message could fail with the
introduction of netmgr. This has been fixed. [GL #3389]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.31/doc/arm/html/notes.html#notes-for-bind-9-16-31
Excerpt from changelog:
" --- 9.16.31 released ---
5917. [bug] Update ifconfig.sh script as is miscomputed interface
identifiers when destroying interfaces. [GL #3061]
5915. [bug] Detect missing closing brace (}) and computational
overflows in $GENERATE directives. [GL #3429]
5913. [bug] Fix a race between resolver query timeout and
validation in resolver.c:validated(). Remove
resolver.c:maybe_destroy() as it is no loger needed.
[GL #3398]
5909. [bug] The server-side destination port was missing from dnstap
captures of client traffic. [GL #3309]
5905. [bug] When the TCP connection would be closed/reset between
the connect/accept and the read, the uv_read_start()
return value would be unexpected and cause an assertion
failure. [GL #3400]
5903. [bug] When named checks that the OPCODE in a response matches
that of the request, if there is a mismatch named logs
an error. Some of those error messages incorrectly
used RCODE instead of OPCODE to lookup the nemonic.
This has been corrected. [GL !6420]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.30/doc/arm/html/notes.html#notes-for-bind-9-16-30
"Bug Fixes
The fetches-per-server quota is designed to adjust itself downward
automatically when an authoritative server times out too frequently.
Due to a coding error, that adjustment was applied incorrectly,
so that the quota for a congested server was always set to 1. This
has been fixed. [GL #3327]
DNSSEC-signed catalog zones were not being processed correctly. This
has been fixed. [GL #3380]
Key files were updated every time the dnssec-policy key manager ran,
whether the metadata had changed or not. named now checks whether
changes were applied before writing out the key files. [GL #3302]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.28/doc/arm/html/notes.html#notes-for-bind-9-16-28
"Notes for BIND 9.16.28
New Features
Add a new configuration option reuseport to disable load balancing
on sockets in situations where processing of Response Policy Zones
(RPZ), Catalog Zones, or large zone transfers can cause service
disruptions. See the BIND 9 ARM for more detail. [GL #3249]
Bug Fixes
Invalid dnssec-policy definitions, where the defined keys did not
cover both KSK and ZSK roles for a given algorithm, were being
accepted. These are now checked, and the dnssec-policy is rejected
if both roles are not present for all algorithms in use. [GL #3142]
Handling of TCP write timeouts has been improved to track the
timeout for each TCP write separately, leading to a faster
connection teardown in case the other party is not reading the data.
[GL #3200]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-for-bind-9-16-27
"Security Fixes
The rules for acceptance of records into the cache have been
tightened to prevent the possibility of poisoning if forwarders send
records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
Changgen Zou from Qi An Xin Group Corp. for bringing this
vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP
sockets in the CLOSE_WAIT state when the client did not properly
shut down the connection. (CVE-2022-0396) [GL #3112]
Feature Changes
DEBUG(1)-level messages were added when starting and ending the BIND
9 task-exclusive mode that stops normal DNS operation (e.g. for
reconfiguration, interface scans, and other events that require
exclusive access to a shared resource). [GL #3137]
Bug Fixes
The max-transfer-time-out and max-transfer-idle-out options were not
implemented when the BIND 9 networking stack was refactored in 9.16.
The missing functionality has been re-implemented and outgoing zone
transfers now time out properly when not progressing. [GL #1897]
TCP connections could hang indefinitely if the other party did not
read sent data, causing the TCP write buffers to fill. This has been
fixed by adding a “write” timer. Connections that are hung while
writing now time out after the tcp-idle-timeout period has elapsed.
[GL #3132]
The statistics counter representing the current number of clients
awaiting recursive resolution results (RecursClients) could
be miscalculated in certain resolution scenarios, potentially
causing the value of the counter to drop below zero. This has been
fixed. [GL #3147]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.26/doc/arm/html/notes.html#notes-for-bind-9-16-26
"Notes for BIND 9.16.26
Feature Changes
The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
by a client are now included in the client information sent to DLZ
modules when processing queries. [GL #3082]
Bug Fixes
Previously, recvmmsg support was enabled in libuv 1.35.0 and 1.36.0,
but not in libuv versions 1.37.0 or greater, reducing the maximum
query-response performance. This has been fixed. [GL #3095]
A failed view configuration during a named reconfiguration procedure
could cause inconsistencies in BIND internal structures, causing
a crash or other unexpected errors. This has been fixed. [GL #3060]
Previously, named logged a “quota reached” message when it hit its
hard quota on the number of connections. That message was
accidentally removed but has now been restored. [GL #3125]
Build errors were introduced in some DLZ modules due to an
incomplete change in the previous release. This has been fixed. [GL
#3111]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details (v9.16.22-v9.16.25) see:
https://downloads.isc.org/isc/bind9/9.16.25/doc/arm/html/notes.html#notes-for-bind-9-16-25
"Notes for BIND 9.16.25
Feature Changes
Overall memory use by named has been optimized and reduced,
especially on systems with many CPU cores. The default memory
allocator has been switched from internal to external. A new
command-line option -M internal allows named to be started with the
old internal memory allocator. [GL #2398]
Bug Fixes
On FreeBSD, TCP connections leaked a small amount of heap memory,
leading to an eventual out-of-memory problem. This has been fixed.
[GL #3051]
If signatures created by the ZSK were expired and the ZSK private
key was offline, the signatures were not replaced. This behavior has
been amended to replace the expired signatures with new signatures
created using the KSK. [GL #3049]
Under certain circumstances, the signed version of an inline-signed
zone could be dumped to disk without the serial number of the
unsigned version of the zone. This prevented resynchronization
of the zone contents after named restarted, if the unsigned zone
file was modified while named was not running. This has been fixed.
[GL #3071]
...
"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 9.11.32 to 9.16.22
- 9.11 is an ESV (Extended Support Version) that will go EOL in December 2021
9.16 is the replacement ESV whose EOL is not yet defined but will be at least 4 years
so should be supported until at least March 2024 as the 9.16 branch was started in 2020
- Update rootfile
- libuv is now required both to build the bind libraries and for the running of the
utilities.
- Changelog is difficult to define here as this is a change of branch from 9.11 to 9.16
both of which have been running in parallel. However all the changes from the start of
9.16.0 can be found in the CHANGES file in the source tarball.
- nslookup, host and dig utilities tested out by installing this on a vm testbed. All
these utilities worked as the previous version
nsupdate was not able to be tested other than confirming that running nsupdate
opened an interactive session. This utility would be good to be tested by someone
familiar with how to run it.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html
"Notes for BIND 9.11.32
Feature Changes
DNSSEC responses containing NSEC3 records with iteration counts
greater than 150 are now treated as insecure. [GL #2445]
The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. [GL #2642]
The implementation of the ZONEMD RR type has been updated to match
RFC 8976. [GL #2658]
Notes for BIND 9.11.31
Security Fixes
A malformed incoming IXFR transfer could trigger an assertion
failure in named, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. [GL #2467]
named crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank Siva Kakarla for bringing this vulnerability
to our attention. [GL #2540]
When a server's configuration set the tkey-gssapi-keytab
or tkey-gssapi-credential option, a specially crafted GSS-TSIG query
could cause a buffer overflow in the ISC implementation of SPNEGO
(a protocol enabling negotiation of the security mechanism used for
GSSAPI authentication). This flaw could be exploited to crash named
binaries compiled for 64-bit platforms, and could enable remote code
execution when named was compiled for 32-bit platforms.
(CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend
Micro Zero Day Initiative. [GL #2604]
Feature Changes
The ISC implementation of SPNEGO was removed from BIND 9 source
code. Instead, BIND 9 now always uses the SPNEGO implementation
provided by the system GSSAPI library when it is built with GSSAPI
support. All major contemporary Kerberos/GSSAPI libraries contain
an implementation of the SPNEGO mechanism. [GL #2607]
Notes for BIND 9.11.30
The BIND 9.11.30 release was withdrawn after a backporting bug was
discovered during pre-release testing. ISC would like to acknowledge the
assistance of Natan Segal of Bluecat Networks.2"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html
"Notes for BIND 9.11.28
Security Fixes
When tkey-gssapi-keytab or tkey-gssapi-credential was configured,
a specially crafted GSS-TSIG query could cause a buffer overflow in the
ISC implementation of SPNEGO (a protocol enabling negotiation of the
security mechanism to use for GSSAPI authentication). This flaw could
be exploited to crash named. Theoretically, it also enabled remote code
execution, but achieving the latter is very difficult in real-world
conditions. (CVE-2020-8625)
This vulnerability was responsibly reported to us as ZDI-CAN-12302
by Trend Micro Zero Day Initiative. [GL #2354]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.21/RELEASE-NOTES-bind-9.11.21.html
"Bug Fixes
named could crash when cleaning dead nodes in lib/dns/rbtdb.c that
were being reused. [GL #1968]
Properly handle missing kyua command so that make check does not
fail unexpectedly when CMocka is installed, but Kyua is not. [GL
#1950]
The validator could fail to accept a properly signed RRset if an
unsupported algorithm appeared earlier in the DNSKEY RRset than
a supported algorithm. It could also stop if it detected a malformed
public key. [GL #1689]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.20/RELEASE-NOTES-bind-9.11.20.html
"Security Fixes
It was possible to trigger an INSIST failure when a zone with
an interior wildcard label was queried in a certain pattern. This
was disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
New Features
dig and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or a response. [GL #1835]
Bug Fixes
When fully updating the NSEC3 chain for a large zone via IXFR,
a temporary loss of performance could be experienced on the
secondary server when answering queries for nonexistent data that
required DNSSEC proof of non-existence (in other words, queries that
required the server to find and to return NSEC3 data). The
unnecessary processing step that was causing this delay has now been
removed. [GL #1834]
A data race in lib/dns/resolver.c:log_formerr() that could lead
to an assertion failure was fixed. [GL #1808]
Previously, provide-ixfr no; failed to return up-to-date responses
when the serial number was greater than or equal to the current
serial number. [GL #1714]
named-checkconf -p could include spurious text in server-addresses
statements due to an uninitialized DSCP value. This has been fixed.
[GL #1812]
The ARM has been updated to indicate that the TSIG session key is
generated when named starts, regardless of whether it is needed. [GL
#1842]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
"Security Fixes
To prevent exhaustion of server resources by a maliciously
configured domain, the number of recursive queries that can be
triggered by a request before aborting recursion has been further
limited. Root and top-level domain servers are no longer exempt from
the max-recursion-queries limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger
an assertion failure. This was disclosed in CVE-2020-8617. [GL
#1703]
Feature Changes
Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
When running on a system with support for Linux capabilities, named
drops root privileges very soon after system startup. This was
causing a spurious log message, "unable to set effective uid to 0:
Operation not permitted", which has now been silenced. [GL #1042]
[GL #1090]
When named-checkconf -z was run, it would sometimes incorrectly set
its exit code. It reflected the status of the last view found;
if zone-loading errors were found in earlier configured views but
not in the last one, the exit code indicated success. Thanks
to Graham Clinch. [GL #1807]
When built without LMDB support, named failed to restart after
a zone with a double quote (") in its name was added with rndc
addzone. Thanks to Alberto Fernández. [GL #1695]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.18/RELEASE-NOTES-bind-9.11.18.html
"Security Fixes
DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding
DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]
Known Issues
We have received reports that in some circumstances, receipt of an IXFR can cause
the processing of queries to slow significantly. Some of these were related to RPZ
processing, which has been fixed in this release (see below). Others appear to occur
where there are NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated. [GL #1685]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.17/RELEASE-NOTES-bind-9.11.17.html
"Notes for BIND 9.11.17
Feature Changes
The configure option --with-libxml2 now uses pkg-config to detect
libxml2 library availability. You will either have to install pkg-config
or specify the exact path where libxml2 has been installed on your
system. [GL #1635]
Bug Fixes
Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.11/RELEASE-NOTES-bind-9.11.11.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
...
Bug Fixes
Glue address records were not being returned in responses to root priming
queries; this has been corrected. [GL #1092]
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero.
[GL #1159]
named-checkconf could crash during configuration if configured to use "geoip
continent" ACLs with legacy GeoIP. [GL #1163]
named-checkconf now correctly reports missing dnstap-output option when dnstap
is set. [GL #1136]
Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Hi,
To save space linking the 'bind 9.11.5'-binaries was changed from statically to dynamically.
Changes to V2:
Removed unnecessary '*.so'-links.
Complete file sizes shrinked from ~4800K to ~1700K. Needs testing and confirmation!
I'm running this version right now under Core 124 - no seen problems so far.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html
Security fixes:
"named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
When recursion is enabled but the allow-recursion and allow-query-cache ACLs are
not specified, they should be limited to local networks, but they were
inadvertently set to match the default allow-query, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.1/RELEASE-NOTES-bind-9.11.1.html
"Security Fixes
rndc "" could trigger an assertion failure in named. This flaw is disclosed
in (CVE-2017-3138). [RT #44924]
Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could
trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]
dns64 with break-dnssec yes; can result in an assertion failure. This flaw is
disclosed in CVE-2017-3136. [RT #44653]
If a server is configured with a response policy zone (RPZ) that rewrites an
answer with local data, and is also configured for DNS64 address mapping, a NULL
pointer can be read triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion failure
if the redirection namespace was served from a local authoritative data source such
as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in
CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an
assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned without
the requested data, resulting in an assertion failure. This flaw is disclosed in
CVE-2016-9147. [RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion failure
when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing responses containing answers of
type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]
Added the ability to specify the maximum number of records permitted in a zone
(max-records #;). This provides a mechanism to block overly large zone transfers, which
is a potential risk with slave zones from other parties, as described in CVE-2016-6170.
[RT #42143]
Bug Fixes
A synthesized CNAME record appearing in a response before the associated DNAME could be
cached, when it should not have been. This was a regression introduced while addressing
CVE-2016-8864. [RT #44318]
named could deadlock if multiple changes to NSEC/NSEC3 parameters for the same zone were
being processed at the same time. [RT #42770]
named could trigger an assertion when sending NOTIFY messages. [RT #44019]
Referencing a nonexistent zone in a response-policy statement could cause an assertion
failure during configuration. [RT #43787]
rndc addzone could cause a crash when attempting to add a zone with a type other than
master or slave. Such zones are now rejected. [RT #43665]
named could hang when encountering log file names with large apparent gaps in version
number (for example, when files exist called "logfile.0", "logfile.1", and
"logfile.1482954169"). This is now handled correctly. [RT #38688]
If a zone was updated while named was processing a query for nonexistent data, it could
return out-of-sync NSEC3 records causing potential DNSSEC validation failure. [RT #43247]"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html
"BIND 9.11.0-P5 addresses the security issues described in CVE-2017-3136,
CVE-2017-3137, and CVE-2017-3138, and updates the built-in trusted keys for the root zone.
Security Fixes
rndc "" could trigger an assertion failure in named. This flaw is disclosed in
(CVE-2017-3138). [RT #44924]
Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could
trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]
dns64 with break-dnssec yes; can result in an assertion failure. This flaw is
disclosed in CVE-2017-3136. [RT #44653]
If a server is configured with a response policy zone (RPZ) that rewrites an
answer with local data, and is also configured for DNS64 address mapping, a NULL
pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135.
[RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion failure if
the redirection namespace was served from a local authoritative data source such as a
local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in
CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an assertion
failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned without the
requested data, resulting in an assertion failure. This flaw is disclosed in
CVE-2016-9147. [RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion failure
when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing responses containing answers of
type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]
Bug Fixes
A synthesized CNAME record appearing in a response before the associated DNAME could be
cached, when it should not have been. This was a regression introduced while addressing
CVE-2016-8864. [RT #44318]
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P3/RELEASE-NOTES-bind-9.11.0-P3.html
"BIND 9.11.0-P3 addresses the security issue described in CVE-2017-3135,
and fixes a regression introduced in a prior security release.
BIND 9.11.0-P2 addresses the security issues described in CVE-2016-9131,
CVE-2016-9147, CVE-2016-9444 and CVE-2016-9778.
BIND 9.11.0-P1 addresses the security issue described in CVE-2016-8864.
...
Security Fixes
If a server is configured with a response policy zone (RPZ) that rewrites an
answer with local data, and is also configured for DNS64 address mapping, a
NULL pointer can be read triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion
failure if the redirection namespace was served from a local authoritative
data source such as a local zone or a DLZ instead of via recursive lookup.
This flaw is disclosed in CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an
assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned
without the requested data, resulting in an assertion failure. This flaw is
disclosed in CVE-2016-9147.
[RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion
failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131.
[RT #43522]
It was possible to trigger assertions when processing responses containing answers
of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P2/RELEASE-NOTES-bind-9.11.0-P2.html
"BIND 9.11.0-P2 addresses the security issues described in CVE-2016-9131, CVE-2016-9147,
CVE-2016-9444 and CVE-2016-9778.
...
Security Fixes
A coding error in the nxdomain-redirect feature could lead to an assertion failure if the
redirection namespace was served from a local authoritative data source such as a local zone
or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT
Named could mishandle authority sections that were missing RRSIGs triggering an assertion
failure. This flaw is disclosed in CVE-2016-9444. [RT # 43632]
Named mishandled some responses where covering RRSIG records are returned without the
requested data resulting in a assertion failure. This flaw is disclosed in CVE-2016-9147.
[RT #43548]
Named incorrectly tried to cache TKEY records which could trigger a assertion failure when
there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing a response. This flaw is disclosed in
CVE-2016-8864. [RT #43465]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog (excerpt):
[security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088) [RT #41809]
[security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
[security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog (excerpt):
[bug] Fixed a regression in resolver.c:possibly_mark()
which caused known-bogus servers to be queried
anyway. [RT #41321]
[security] render_ecs errors were mishandled when printing out
a OPT record resulting in a assertion failure.
(CVE-2015-8705) [RT #41397]
[security] Specific APL data could trigger a INSIST.
(CVE-2015-8704) [RT #41396]
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
