mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
Tweak and reword release notes
This commit is contained in:
Michal Nowak
@@ -26,62 +26,70 @@ Security Fixes
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- Add support for User Statically Defined Tracing (USDT) probes - static tracing
|
||||
points for user-level software. This allows a fine-grained application
|
||||
tracing with zero-overhead when the probes are not enabled. :gl:`#4041`
|
||||
- Support for User Statically Defined Tracing (USDT) probes has been
|
||||
added. These probes enable fine-grained application tracing and
|
||||
introduce no overhead when they are not enabled. :gl:`#4041`
|
||||
|
||||
Removed Features
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- The :any:`dnssec-must-be-secure` option has been deprecated and will be
|
||||
removed in a future release. :gl:`#4263`
|
||||
- The :any:`dnssec-must-be-secure` option has been deprecated and will
|
||||
be removed in a future release. :gl:`#4263`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Make :iscman:`nsupdate` honor the ``-v`` option for SOA queries, that is send
|
||||
the request over TCP, only if the server is specified. :gl:`#1181`
|
||||
- If the ``server`` command is specified, :iscman:`nsupdate` now honors
|
||||
the :option:`nsupdate -v` option for SOA queries by sending both the
|
||||
UPDATE request and the initial query over TCP. :gl:`#1181`
|
||||
|
||||
- Extend client side support for the EDNS EXPIRE option to IXFR and
|
||||
AXFR query types. ``named`` will now be making EDNS queries AXFR
|
||||
and IXFR queries with EDNS options present. :gl:`#4170`
|
||||
- The client-side support of the EDNS EXPIRE option has been expanded to
|
||||
include IXFR and AXFR query types. This enhancement enables
|
||||
:iscman:`named` to perform AXFR and IXFR queries while incorporating
|
||||
the EDNS EXPIRE option. :gl:`#4170`
|
||||
|
||||
- Compiling with jemalloc versions older than 4.0.0 is no longer supported;
|
||||
those versions do not provide the features required by current BIND 9
|
||||
releases. :gl:`#4296`
|
||||
- Compiling with jemalloc versions older than 4.0.0 is no longer
|
||||
supported; those versions do not provide the features required by
|
||||
current BIND 9 releases. :gl:`#4296`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- The value of If-Modified-Since header in statistics channel was not checked
|
||||
for length leading to possible buffer overflow by an authorized user. We
|
||||
would like to emphasize that statistics channel must be properly setup to
|
||||
allow access only from authorized users of the system. :gl:`#4124`
|
||||
- The value of the If-Modified-Since header in the statistics channel
|
||||
was not being correctly validated for its length, potentially allowing
|
||||
an authorized user to trigger a buffer overflow. Ensuring the
|
||||
statistics channel is configured correctly to grant access exclusively
|
||||
to authorized users is essential (see the :any:`statistics-channels`
|
||||
block definition and usage section). :gl:`#4124`
|
||||
|
||||
This issue was reported independently by Eric Sesterhenn of X41 D-SEC and
|
||||
Cameron Whitehead.
|
||||
This issue was reported independently by Eric Sesterhenn of X41 D-Sec
|
||||
GmbH and Cameron Whitehead.
|
||||
|
||||
- The value of Content-Length header in statistics channel was not
|
||||
bound checked and negative or large enough value could lead to
|
||||
overflow and assertion failure. :gl:`#4125`
|
||||
- The Content-Length header in the statistics channel was lacking proper
|
||||
bounds checking. A negative or excessively large value could
|
||||
potentially trigger an integer overflow and result in an assertion
|
||||
failure. :gl:`#4125`
|
||||
|
||||
This issue was reported by Eric Sesterhenn of X41 D-SEC.
|
||||
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
|
||||
|
||||
- Address memory leaks due to not clearing OpenSSL error stack. :gl:`#4159`
|
||||
- Several memory leaks caused by not clearing the OpenSSL error stack
|
||||
were fixed. :gl:`#4159`
|
||||
|
||||
This issue was reported by Eric Sesterhenn of X41 D-SEC.
|
||||
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
|
||||
|
||||
- Following the introduction of krb5-subdomain-self-rhs and
|
||||
ms-subdomain-self-rhs update rules, removal of nonexistent PTR
|
||||
and SRV records via UPDATE could fail. This has been fixed. :gl:`#4280`
|
||||
- The introduction of ``krb5-subdomain-self-rhs`` and
|
||||
``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
|
||||
:iscman:`named` to return SERVFAIL responses to deletion requests for
|
||||
non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
|
||||
|
||||
- The value of :any:`stale-refresh-time` was set to zero after ``rndc flush``.
|
||||
This has been fixed. :gl:`#4278`
|
||||
- The :any:`stale-refresh-time` feature was mistakenly disabled when the
|
||||
server cache was flushed by :option:`rndc flush`. This has been fixed.
|
||||
:gl:`#4278`
|
||||
|
||||
- BIND could consume more memory than it needs. That has been fixed by
|
||||
using specialised jemalloc memory arenas dedicated to sending buffers. It
|
||||
allowed us to optimize the process of returning memory pages back to
|
||||
the operating system. :gl:`#4038`
|
||||
- BIND's memory consumption has been improved by implementing dedicated
|
||||
jemalloc memory arenas for sending buffers. This optimization ensures
|
||||
that memory usage is more efficient and better manages the return of
|
||||
memory pages to the operating system. :gl:`#4038`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
Reference in New Issue
Block a user