From 265deccb85bef9d092e43f4400f9953c46f76c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 2 Feb 2024 09:21:49 +0100 Subject: [PATCH] Prepare release notes for BIND 9.19.21 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.19.20.rst | 50 +++----------------------- doc/notes/notes-9.19.21.rst | 70 +++++++++++++++++++++++++++++++++++++ doc/notes/notes-current.rst | 31 ---------------- 4 files changed, 75 insertions(+), 77 deletions(-) create mode 100644 doc/notes/notes-9.19.21.rst delete mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index e3c8787b93..7ae4697f18 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,6 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.19.21.rst .. include:: ../notes/notes-9.19.20.rst .. include:: ../notes/notes-9.19.19.rst .. include:: ../notes/notes-9.19.18.rst diff --git a/doc/notes/notes-9.19.20.rst b/doc/notes/notes-9.19.20.rst index 33aec1d0e5..c794662095 100644 --- a/doc/notes/notes-9.19.20.rst +++ b/doc/notes/notes-9.19.20.rst @@ -12,50 +12,8 @@ Notes for BIND 9.19.20 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ +.. note:: -- Parsing DNS messages with many different names could cause excessive - CPU load. This has been fixed. :cve:`2023-4408` - - ISC would like to thank Shoham Danino from Reichman University, Anat - Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv - University, and Yuval Shavitt from Tel-Aviv University for bringing - this vulnerability to our attention. :gl:`#4234` - -- Specific queries could cause :iscman:`named` to crash with an - assertion failure when :any:`nxdomain-redirect` was enabled. This has - been fixed. :cve:`2023-5517` :gl:`#4281` - -- A bad interaction between DNS64 and serve-stale could cause - :iscman:`named` to crash with an assertion failure, when both of these - features were enabled. This has been fixed. :cve:`2023-5679` - :gl:`#4334` - -Feature Changes -~~~~~~~~~~~~~~~ - -- :iscman:`named-compilezone` no longer performs zone integrity checks - by default; this allows faster conversion of a zone file from one - format to another. :gl:`#4364` - - Zone checks can be performed by running :iscman:`named-checkzone` - separately, or the previous default behavior can be restored by using: - - :: - - named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail - -Bug Fixes -~~~~~~~~~ - -- The counters exported via the statistics channel were changed back to - 64-bit signed values; they were being inadvertently truncated to - unsigned 32-bit values since BIND 9.15.0. :gl:`#4467` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch. + The BIND 9.19.20 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. ISC + would like to acknowledge the assistance of Curtis Tuplin of SaskTel. diff --git a/doc/notes/notes-9.19.21.rst b/doc/notes/notes-9.19.21.rst new file mode 100644 index 0000000000..16f1b7bc3b --- /dev/null +++ b/doc/notes/notes-9.19.21.rst @@ -0,0 +1,70 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.19.21 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Validating DNS messages containing a lot of DNSSEC signatures could + cause excessive CPU load, leading to a denial-of-service condition. + This has been fixed. :cve:`2023-50387` + + ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, + and Michael Waidner from the German National Research Center for + Applied Cybersecurity ATHENE for bringing this vulnerability to our + attention. :gl:`#4424` + +- Parsing DNS messages with many different names could cause excessive + CPU load. This has been fixed. :cve:`2023-4408` + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv + University, and Yuval Shavitt from Tel-Aviv University for bringing + this vulnerability to our attention. :gl:`#4234` + +- Specific queries could cause :iscman:`named` to crash with an + assertion failure when :any:`nxdomain-redirect` was enabled. This has + been fixed. :cve:`2023-5517` :gl:`#4281` + +- A bad interaction between DNS64 and serve-stale could cause + :iscman:`named` to crash with an assertion failure, when both of these + features were enabled. This has been fixed. :cve:`2023-5679` + :gl:`#4334` + +Feature Changes +~~~~~~~~~~~~~~~ + +- :iscman:`named-compilezone` no longer performs zone integrity checks + by default; this allows faster conversion of a zone file from one + format to another. :gl:`#4364` + + Zone checks can be performed by running :iscman:`named-checkzone` + separately, or the previous default behavior can be restored by using: + + :: + + named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail + +Bug Fixes +~~~~~~~~~ + +- The counters exported via the statistics channel were changed back to + 64-bit signed values; they were being inadvertently truncated to + unsigned 32-bit values since BIND 9.15.0. :gl:`#4467` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index 0a84c2cadc..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,31 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.19.21 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Validating DNS messages containing a lot of DNSSEC signatures could - cause excessive CPU load, leading to a denial-of-service condition. - This has been fixed. :cve:`2023-50387` - - ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, - and Michael Waidner from the German National Research Center for - Applied Cybersecurity ATHENE. :gl:`#4424` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch.