ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
00aeba54c905dbc7d7fc58f388aef2bce525e800
bind9/doc/notes/notes-9.16.15.rst
Ondřej Surý 2bf7921c7e Update the copyright information in all files in the repository 
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00

106 lines
4.5 KiB
ReStructuredText
Raw Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.15
----------------------
Security Fixes
~~~~~~~~~~~~~~
- A malformed incoming IXFR transfer could trigger an assertion failure
in ``named``, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. :gl:`#2467`
- ``named`` crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank `Siva Kakarla`_ for bringing this
vulnerability to our attention. :gl:`#2540`
.. _Siva Kakarla: https://github.com/sivakesava1
- When a server's configuration set the ``tkey-gssapi-keytab`` or
``tkey-gssapi-credential`` option, a specially crafted GSS-TSIG query
could cause a buffer overflow in the ISC implementation of SPNEGO (a
protocol enabling negotiation of the security mechanism used for
GSSAPI authentication). This flaw could be exploited to crash
``named`` binaries compiled for 64-bit platforms, and could enable
remote code execution when ``named`` was compiled for 32-bit
platforms. (CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
Zero Day Initiative. :gl:`#2604`
Feature Changes
~~~~~~~~~~~~~~~
- The ISC implementation of SPNEGO was removed from BIND 9 source code.
Instead, BIND 9 now always uses the SPNEGO implementation provided by
the system GSSAPI library when it is built with GSSAPI support. All
major contemporary Kerberos/GSSAPI libraries contain an implementation
of the SPNEGO mechanism. :gl:`#2607`
- The default value for the ``stale-answer-client-timeout`` option was
changed from ``1800`` (ms) to ``off``. The default value may be
changed again in future releases as this feature matures. :gl:`#2608`
Bug Fixes
~~~~~~~~~
- TCP idle and initial timeouts were being incorrectly applied: only the
``tcp-initial-timeout`` was applied on the whole connection, even if
the connection were still active, which could prevent a large zone
transfer from being sent back to the client. The default setting for
``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
connection taking more than 30 seconds was abruptly terminated. This
has been fixed. :gl:`#2583`
- When ``stale-answer-client-timeout`` was set to a positive value and
recursion for a client query completed when ``named`` was about to
look for a stale answer, an assertion could fail in
``query_respond()``, resulting in a crash. This has been fixed.
:gl:`#2594`
- If zone journal files written by BIND 9.16.11 or earlier were present
when BIND was upgraded to BIND 9.16.13 or BIND 9.16.14, the zone file
for that zone could have been inadvertently rewritten with the current
zone contents. This caused the original zone file structure (e.g.
comments, ``$INCLUDE`` directives) to be lost, although the zone data
itself was preserved. :gl:`#2623`
- After upgrading to BIND 9.16.13, journal files for trust anchor
databases (e.g. ``managed-keys.bind.jnl``) could be left in a corrupt
state. (Other zone journal files were not affected.) This has been
fixed. If a corrupt journal file is detected, ``named`` can now
recover from it. :gl:`#2600`
- When sending queries over TCP, ``dig`` now properly handles ``+tries=1
+retry=0`` by not retrying the connection when the remote server
closes the connection prematurely. :gl:`#2490`
- CDS/CDNSKEY DELETE records are now removed when a zone transitions
from a secure to an insecure state. ``named-checkzone`` also no longer
reports an error when such records are found in an unsigned zone.
:gl:`#2517`
- Zones using KASP could not be thawed after they were frozen using
``rndc freeze``. This has been fixed. :gl:`#2523`
- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
``named`` now immediately attempts to reconfigure zone keys. This
change prevents unnecessary key rollover delays. :gl:`#2488`
- Previously, a memory leak could occur when ``named`` failed to bind a
UDP socket to a network interface. This has been fixed. :gl:`#2575`
View Git Blame Copy Permalink