mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 02:55:55 +02:00
249819695d
For details for 9.16.36 and 9.16.37 see: https://downloads.isc.org/isc/bind9/9.16.37/doc/arm/html/notes.html#notes-for-bind-9-16-37 "Notes for BIND 9.16.37 Security Fixes An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). (CVE-2022-3094) ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. [GL #3523] named could crash with an assertion failure when an RRSIG query was received and stale-answer-client-timeout was set to a non-zero value. This has been fixed. (CVE-2022-3736) ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to our attention. [GL #3622] named running as a resolver with the stale-answer-client-timeout option set to any value greater than 0 could crash with an assertion failure, when the recursive-clients soft quota was reached. This has been fixed. (CVE-2022-3924) ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. [GL #3619] New Features The new update-quota option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. [GL #3523] Feature Changes The Differentiated Services Code Point (DSCP) feature in BIND has been deprecated. Configuring DSCP values in named.conf now causes a warning to be logged. Note that this feature has only been partly operational since the new Network Manager was introduced in BIND 9.16.0. [GL #3773] The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3744] Bug Fixes In certain query resolution scenarios (e.g. when following CNAME records), named configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. [GL #3678] ... Notes for BIND 9.16.36 Feature Changes The auto-dnssec option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667] Bug Fixes When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the named process to crash. This has been fixed. [GL #3683] When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. This has been fixed. [GL #3727] In certain cases, named waited for the resolution of outstanding recursive queries to finish before shutting down. This was unintended and has been fixed. [GL #3183] The zone <name>/<class>: final reference detached log message was moved from the INFO log level to the DEBUG(1) log level to prevent the named-checkzone tool from superfluously logging this message in non-debug mode. [GL #3707]" Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
4.2 KiB
4.2 KiB