149 lines
4.8 KiB
XML
149 lines
4.8 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!--
|
|
- Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- Permission to use, copy, modify, and/or distribute this software for any
|
|
- purpose with or without fee is hereby granted, provided that the above
|
|
- copyright notice and this permission notice appear in all copies.
|
|
-
|
|
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
- PERFORMANCE OF THIS SOFTWARE.
|
|
-->
|
|
|
|
<sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<xi:include href="noteversion.xml"/>
|
|
<sect2 id="relnotes_intro">
|
|
<title>Introduction</title>
|
|
<para>
|
|
This document summarizes changes since BIND 9.9.8:
|
|
</para>
|
|
<para>
|
|
BIND 9.9.8-P4 addresses the security issues described in
|
|
CVE-2016-1285 and CVE-2016-1286.
|
|
</para>
|
|
<para>
|
|
BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704.
|
|
It also fixes a serious regression in authoritative server selection
|
|
that was introduced in 9.9.8.
|
|
</para>
|
|
<para>
|
|
BIND 9.9.8-P2 addresses security issues described in CVE-2015-3193
|
|
(OpenSSL), CVE-2015-8000 and CVE-2015-8461.
|
|
</para>
|
|
<para>
|
|
BIND 9.9.8-P1 was incomplete and was withdrawn prior to publication.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_download">
|
|
<title>Download</title>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<ulink url="http://www.isc.org/downloads/"
|
|
>http://www.isc.org/downloads/</ulink>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_security">
|
|
<title>Security Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Specific APL data could trigger an INSIST. This flaw
|
|
is disclosed in CVE-2015-8704. [RT #41396]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Named is potentially vulnerable to the OpenSSL vulnerability
|
|
described in CVE-2015-3193.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Insufficient testing when parsing a message allowed
|
|
records with an incorrect class to be be accepted,
|
|
triggering a REQUIRE failure when those records
|
|
were subsequently cached. This flaw is disclosed
|
|
in CVE-2015-8000. [RT #40987]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Incorrect reference counting could result in an INSIST
|
|
failure if a socket error occurred while performing a
|
|
lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Malformed control messages can trigger assertions in named
|
|
and rndc. This flaw is disclosed in CVE-2016-1285. [RT
|
|
#41666]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The resolver could abort with an assertion failure due to
|
|
improper DNAME handling when parsing fetch reply
|
|
messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_features">
|
|
<title>New Features</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>None</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_changes">
|
|
<title>Feature Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_bugs">
|
|
<title>Bug Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Authoritative servers that were marked as bogus (e.g. blackholed
|
|
in configuration or with invalid addresses) were being queried
|
|
anyway. [RT #41321]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="end_of_life">
|
|
<title>End of Life</title>
|
|
<para>
|
|
The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
|
|
<ulink url="https://www.isc.org/downloads/software-support-policy/"
|
|
>https://www.isc.org/downloads/software-support-policy/</ulink>
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_thanks">
|
|
<title>Thank You</title>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<ulink url="http://www.isc.org/donate/"
|
|
>http://www.isc.org/donate/</ulink>.
|
|
</para>
|
|
</sect2>
|
|
</sect1>
|