Merge branch 'prep-release' into security-v9_16

Prepare documentation for BIND 9.16.12

See merge request isc-private/bind9!240

CHANGES

@@ -1,39 +1,42 @@
+	--- 9.16.12 released ---
+
 5578.	[protocol]	Make "check-names" accept A records below "_spf",
-			"_spf_rate" and "_spf_verify" labels in order to cater
+			"_spf_rate", and "_spf_verify" labels in order to cater
 			for the "exists" SPF mechanism specified in RFC 7208
-			section 5.7. and appendix D. [GL #2377]
+			section 5.7 and appendix D.1. [GL #2377]
 
-5577.	[bug]		Fix the "three is a crowd" key rollover bug in
-			dnssec-policy by correctly implementing Equation(2) of
-			the "Flexible and Robust Key Rollover" paper. [GL #2375]
+5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
+			correctly implementing Equation (2) of the "Flexible and
+			Robust Key Rollover" paper. [GL #2375]
 
-5575.	[bug]		When migrating to dnssec-policy, BIND considered keys
-			with the "Inactive" and/or "Delete" timing metadata as
+5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
+			"Inactive" and/or "Delete" timing metadata to be
 			possible active keys. This has been fixed. [GL #2406]
 
-5572.	[bug]		Address potential double free in generatexml.
+5572.	[bug]		Address potential double free in generatexml().
 			[GL #2420]
 
-5571.	[bug]		If a zone had a non-builtin named allow-update acl
-			named failed to start. [GL #2413]
+5571.	[bug]		named failed to start when its configuration included a
+			zone with a non-builtin "allow-update" ACL attached.
+			[GL #2413]
 
-5570.	[bug]		Improve the performance of dnssec-verify by reducing
-			the number of repeated calls to dns_dnssec_keyfromrdata.
-			[GL #2073]
+5570.	[bug]		Improve performance of the DNSSEC verification code by
+			reducing the number of repeated calls to
+			dns_dnssec_keyfromrdata(). [GL #2073]
 
-5569.	[bug]		Emit useful error message when 'rndc retransfer' is
+5569.	[bug]		Emit useful error message when "rndc retransfer" is
 			applied to a zone of inappropriate type. [GL #2342]
 
 5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
 			keys. [GL #2178]
 
 5567.	[bug]		Dig now reports unknown dash options while pre-parsing
-			the options.  This prevents '-multi' instead of
-			'+multi' reporting memory usage before ending option
-			parsing on 'Invalid option: -lti'. [GL #2403]
+			the options. This prevents "-multi" instead of "+multi"
+			from reporting memory usage before ending option parsing
+			with "Invalid option: -lti". [GL #2403]
 
-5566.	[func]		Add "stale-answer-client-timeout" option, which
-			is the amount of time a recursive resolver waits before
+5566.	[func]		Add "stale-answer-client-timeout" option, which is the
+			amount of time a recursive resolver waits before
 			attempting to answer the query using stale data from
 			cache. [GL #2247]
 
@@ -41,15 +44,17 @@
 			BIND 9 version number, in an effort to tightly couple
 			internal libraries with a specific release. [GL #2387]
 
-5561.	[bug]		KASP incorrectly set signature validity to the value
-			of the DNSKEY signature validity. This is now fixed.
+5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation.
+			(CVE-2020-8625) [GL #2354]
+
+5561.	[bug]		KASP incorrectly set signature validity to the value of
+			the DNSKEY signature validity. This is now fixed.
 			[GL #2383]
 
 5560.	[func]		The default value of "max-stale-ttl" has been changed
 			from 12 hours to 1 day and the default value of
-			"stale-answer-ttl" has been changed from 1 second to
-			30 seconds, following RFC 8767 recommendations.
-			[GL #2248]
+			"stale-answer-ttl" has been changed from 1 second to 30
+			seconds, following RFC 8767 recommendations. [GL #2248]
 
 5456.	[func]		Added "primaries" as a synonym for "masters" in
 			named.conf, and "primary-only" as a synonym for

doc/arm/notes.rst

@@ -59,7 +59,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.16.12.rst
 .. include:: ../notes/notes-9.16.11.rst
 .. include:: ../notes/notes-9.16.10.rst
 .. include:: ../notes/notes-9.16.9.rst

doc/notes/notes-9.16.0.rst

@@ -36,7 +36,7 @@ New Features
 
    When used with the keyword ``initial-key``, ``trust-anchors`` has the
    same behavior as ``managed-keys``, i.e., it configures a trust anchor
-   that is to be maintained via RFC 5011.
+   that is to be maintained via :rfc:`5011`.
 
    When used with the new keyword ``static-key``, ``trust-anchors`` has
    the same behavior as ``trusted-keys``, i.e., it configures a
@@ -51,8 +51,8 @@ New Features
 
    As with the ``initial-key`` and ``static-key`` keywords,
    ``initial-ds`` configures a dynamic trust anchor to be maintained via
-   RFC 5011, and ``static-ds`` configures a permanent trust anchor. [GL
-   #6] [GL #622]
+   :rfc:`5011`, and ``static-ds`` configures a permanent trust anchor.
+   [GL #6] [GL #622]
 
 -  ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to
    print output in a detailed YAML format. [GL #1145]
@@ -64,7 +64,8 @@ New Features
 
 -  ``dig`` now accepts a new command line option, ``+[no]expandaaaa``,
    which causes the IPv6 addresses in AAAA records to be printed in full
-   128-bit notation rather than the default RFC 5952 format. [GL #765]
+   128-bit notation rather than the default :rfc:`5952` format.
+   [GL #765]
 
 -  Statistics channel groups can now be toggled. [GL #1030]
 
@@ -74,10 +75,10 @@ Feature Changes
 -  When static and managed DNSSEC keys were both configured for the same
    name, or when a static key was used to configure a trust anchor for
    the root zone and ``dnssec-validation`` was set to the default value
-   of ``auto``, automatic RFC 5011 key rollovers would be disabled. This
-   combination of settings was never intended to work, but there was no
-   check for it in the parser. This has been corrected, and it is now a
-   fatal configuration error. [GL #868]
+   of ``auto``, automatic :rfc:`5011` key rollovers would be disabled.
+   This combination of settings was never intended to work, but there
+   was no check for it in the parser. This has been corrected, and it is
+   now a fatal configuration error. [GL #868]
 
 -  DS and CDS records are now generated with SHA-256 digests only,
    instead of both SHA-1 and SHA-256. This affects the default output of
@@ -91,7 +92,7 @@ Feature Changes
 -  ``named`` will now log a warning if a static key is configured for
    the root zone. [GL #6]
 
--  A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added
+-  A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added
    and made default. Old non-default HMAC-SHA based DNS Cookie
    algorithms have been removed, and only the default AES algorithm is
    being kept for legacy reasons. This change has no operational impact

doc/notes/notes-9.16.11.rst

@@ -32,7 +32,7 @@ Feature Changes
   without making it bogus in the process; changing to ``dnssec-policy
   none;`` also causes CDS and CDNSKEY DELETE records to be published, to
   signal that the entire DS RRset at the parent must be removed, as
-  described in RFC 8078. [GL #1750]
+  described in :rfc:`8078`. [GL #1750]
 
 - When using the ``unixtime`` or ``date`` method to update the SOA
   serial number, ``named`` and ``dnssec-signzone`` silently fell back to

doc/notes/notes-9.16.12.rst

@@ -0,0 +1,115 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.16.12
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was
+  configured, a specially crafted GSS-TSIG query could cause a buffer
+  overflow in the ISC implementation of SPNEGO (a protocol enabling
+  negotiation of the security mechanism to use for GSSAPI
+  authentication). This flaw could be exploited to crash ``named``.
+  Theoretically, it also enabled remote code execution, but achieving
+  the latter is very difficult in real-world conditions.
+  (CVE-2020-8625)
+
+  This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+  Trend Micro Zero Day Initiative. [GL #2354]
+
+New Features
+~~~~~~~~~~~~
+
+- When a secondary server receives a large incremental zone transfer
+  (IXFR), it can have a negative impact on query performance while the
+  incremental changes are applied to the zone. To address this,
+  ``named`` can now limit the size of IXFR responses it sends in
+  response to zone transfer requests. If an IXFR response would be
+  larger than an AXFR of the entire zone, it will send an AXFR response
+  instead.
+
+  This behavior is controlled by the ``max-ixfr-ratio`` option - a
+  percentage value representing the ratio of IXFR size to the size of a
+  full zone transfer. The default is ``100%``. [GL #1515]
+
+- A new option, ``stale-answer-client-timeout``, has been added to
+  improve ``named``'s behavior with respect to serving stale data. The
+  option defines the amount of time ``named`` waits before attempting to
+  answer the query with a stale RRset from cache. If a stale answer is
+  found, ``named`` continues the ongoing fetches, attempting to refresh
+  the RRset in cache until the ``resolver-query-timeout`` interval is
+  reached.
+
+  The default value is ``1800`` (in milliseconds) and the maximum value
+  is limited to ``resolver-query-timeout`` minus one second. A value of
+  ``0`` causes any available cached RRset to immediately be returned
+  while still triggering a refresh of the data in cache.
+
+  This new behavior can be disabled by setting
+  ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
+  option has no effect if ``stale-answer-enable`` is disabled.
+  [GL #2247]
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- As part of an ongoing effort to use :rfc:`8499` terminology,
+  ``primaries`` can now be used as a synonym for ``masters`` in
+  ``named.conf``. Similarly, ``notify primary-only`` can now be used as
+  a synonym for ``notify master-only``. The output of ``rndc
+  zonestatus`` now uses ``primary`` and ``secondary`` terminology.
+  [GL #1948]
+
+- The default value of ``max-stale-ttl`` has been changed from 12 hours
+  to 1 day and the default value of ``stale-answer-ttl`` has been
+  changed from 1 second to 30 seconds, following :rfc:`8767`
+  recommendations. [GL #2248]
+
+- The SONAMEs for BIND 9 libraries now include the current BIND 9
+  version number, in an effort to tightly couple internal libraries with
+  a specific release. This change makes the BIND 9 release process both
+  simpler and more consistent while also unequivocally preventing BIND 9
+  binaries from silently loading wrong versions of shared libraries (or
+  multiple versions of the same shared library) at startup. [GL #2387]
+
+- When ``check-names`` is in effect, A records below an ``_spf``,
+  ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
+  ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
+  D.1) are no longer reported as warnings/errors. [GL #2377]
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` failed to start when its configuration included a zone with
+  a non-builtin ``allow-update`` ACL attached. [GL #2413]
+
+- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
+  key. This has been fixed. [GL #2178]
+
+- KASP incorrectly set signature validity to the value of the DNSKEY
+  signature validity. This has been fixed. [GL #2383]
+
+- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
+  and/or ``Delete`` timing metadata to be possible active keys. This has
+  been fixed. [GL #2406]
+
+- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
+  faster than the time required to finish the rollover procedure, the
+  successor relation equation failed because it assumed only two keys
+  were taking part in a rollover. This could lead to premature removal
+  of predecessor keys. BIND 9 now implements a recursive successor
+  relation, as described in the paper "Flexible and Robust Key Rollover"
+  (Equation (2)). [GL #2375]
+
+- Performance of the DNSSEC verification code (used by
+  ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
+  improved. [GL #2073]

doc/notes/notes-current.rst

@@ -1,110 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-Notes for BIND 9.16.12
-----------------------
-
-Security Fixes
-~~~~~~~~~~~~~~
-
-- None.
-
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
-New Features
-~~~~~~~~~~~~
-
-- When a secondary server receives a large incremental zone
-  transfer (IXFR), it can have a negative impact on query
-  performance while the incremental changes are applied to
-  the zone. To address this, ``named`` can now
-  limit the size of IXFR responses it sends in response to zone
-  transfer requests. If an IXFR response would be larger than an
-  AXFR of the entire zone, it will send an AXFR resonse instead.
-
-  This behavior is controlled by the ``max-ixfr-ratio``
-  option - a percentage value representing the ratio of IXFR size
-  to the size of a full zone transfer. This value cannot exceed
-  100%, which is also the default. [GL #1515]
-
-- A new option, ```stale-answer-client-timeout``, has been added to
-  improve ``named``'s behavior with respect to serving stale data. The option
-  defines the amount of time ``named`` waits before attempting
-  to answer the query with a stale RRset from cache. If a stale answer
-  is found, ``named`` continues the ongoing fetches, attempting to
-  refresh the RRset in cache until the ``resolver-query-timeout`` interval is
-  reached.
-
-  The default value is ``1800`` (in milliseconds) and the maximum value is
-  bounded to ``resolver-query-timeout`` minus one second. A value of
-  ``0`` immediately returns a cached RRset if available, and still
-  attempts a refresh of the data in cache.
-
-  The option can be disabled by setting the value to ``off`` or
-  ``disabled``. It also has no effect if ``stale-answer-enable`` is
-  disabled.
-
-Removed Features
-~~~~~~~~~~~~~~~~
-
-- None.
-
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- The SONAMEs for BIND 9 libraries now include the current BIND 9
-  version number, in an effort to tightly couple internal libraries with
-  a specific release. This change makes the BIND 9 release process both
-  simpler and more consistent while also unequivocally preventing BIND 9
-  binaries from silently loading wrong versions of shared libraries (or
-  multiple versions of the same shared library) at startup. [GL #2387]
-
-- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
-  day and the default value of ``stale-answer-ttl`` has been changed from 1
-  second to 30 seconds, following RFC 8767 recommendations. [GL #2248]
-
-- As part of an ongoing effort to use RFC 8499 terminology,
-  ``primaries`` can now be used as a synonym for ``masters`` in
-  ``named.conf``. Similarly, ``notify primary-only`` can now be used as
-  a synonym for ``notify master-only``. The output of ``rndc
-  zonestatus`` now uses ``primary`` and ``secondary`` terminology.
-  [GL #1948]
-
-- When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate``
-  and ``_spf_verify`` labels (which are employed by the ``exists`` SPF
-  mechanism defined inr:rfc:`7208` section 5.7/appendix D1) are no longer 
-  reported as warnings/errors.  [GL #2377]
-
-Bug Fixes
-~~~~~~~~~
-
-- KASP incorrectly set signature validity to the value of the DNSKEY signature
-  validity. This is now fixed. [GL #2383]
-
-- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key.
-  This has been fixed. [GL #2178]
-
-- Named ``allow-update`` acls where broken in BIND 9.17.9 and BIND 9.16.11
-  preventing ``named`` starting. [GL #2413]
-
-- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive"
-  and/or "Delete" timing metadata as possible active keys. This has been fixed.
-  [GL #2406]
-
-- Fix the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys
-  rolled faster than the time required to finish the rollover procedure, the
-  successor relation equation failed because it assumed only two keys were
-  taking part in a rollover. This could lead to premature removal of
-  predecessor keys. BIND 9 now implements a recursive successor relation, as
-  described in the paper "Flexible and Robust Key Rollover" (Equation (2)).
-  [GL #2375]

lib/dns/spnego.c

@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
 		return (ASN1_OVERRUN);
 	}
 
-	data->components = malloc(len * sizeof(*data->components));
+	data->components = malloc((len + 1) * sizeof(*data->components));
 	if (data->components == NULL) {
 		return (ENOMEM);
 	}

version

@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Stable Release)"
 MAJORVER=9
 MINORVER=16
-PATCHVER=11
+PATCHVER=12
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=