mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 18:19:42 +00:00
Prepare release notes for BIND 9.19.21
This commit is contained in:
Michał Kępień
parent
bf6a16c17b
commit
265deccb85
@ -38,6 +38,7 @@ information about each release, and source code.
|
||||
|
||||
.. include:: ../notes/notes-known-issues.rst
|
||||
|
||||
.. include:: ../notes/notes-9.19.21.rst
|
||||
.. include:: ../notes/notes-9.19.20.rst
|
||||
.. include:: ../notes/notes-9.19.19.rst
|
||||
.. include:: ../notes/notes-9.19.18.rst
|
||||
|
||||
@ -12,50 +12,8 @@
|
||||
Notes for BIND 9.19.20
|
||||
----------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
.. note::
|
||||
|
||||
- Parsing DNS messages with many different names could cause excessive
|
||||
CPU load. This has been fixed. :cve:`2023-4408`
|
||||
|
||||
ISC would like to thank Shoham Danino from Reichman University, Anat
|
||||
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
|
||||
University, and Yuval Shavitt from Tel-Aviv University for bringing
|
||||
this vulnerability to our attention. :gl:`#4234`
|
||||
|
||||
- Specific queries could cause :iscman:`named` to crash with an
|
||||
assertion failure when :any:`nxdomain-redirect` was enabled. This has
|
||||
been fixed. :cve:`2023-5517` :gl:`#4281`
|
||||
|
||||
- A bad interaction between DNS64 and serve-stale could cause
|
||||
:iscman:`named` to crash with an assertion failure, when both of these
|
||||
features were enabled. This has been fixed. :cve:`2023-5679`
|
||||
:gl:`#4334`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- :iscman:`named-compilezone` no longer performs zone integrity checks
|
||||
by default; this allows faster conversion of a zone file from one
|
||||
format to another. :gl:`#4364`
|
||||
|
||||
Zone checks can be performed by running :iscman:`named-checkzone`
|
||||
separately, or the previous default behavior can be restored by using:
|
||||
|
||||
::
|
||||
|
||||
named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- The counters exported via the statistics channel were changed back to
|
||||
64-bit signed values; they were being inadvertently truncated to
|
||||
unsigned 32-bit values since BIND 9.15.0. :gl:`#4467`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- There are no new known issues with this release. See :ref:`above
|
||||
<relnotes_known_issues>` for a list of all known issues affecting this
|
||||
BIND 9 branch.
|
||||
The BIND 9.19.20 release was withdrawn after the discovery of a
|
||||
regression in a security fix in it during pre-release testing. ISC
|
||||
would like to acknowledge the assistance of Curtis Tuplin of SaskTel.
|
||||
|
||||
70
doc/notes/notes-9.19.21.rst
Normal file
70
doc/notes/notes-9.19.21.rst
Normal file
@ -0,0 +1,70 @@
|
||||
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
..
|
||||
.. SPDX-License-Identifier: MPL-2.0
|
||||
..
|
||||
.. This Source Code Form is subject to the terms of the Mozilla Public
|
||||
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
..
|
||||
.. See the COPYRIGHT file distributed with this work for additional
|
||||
.. information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.19.21
|
||||
----------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- Validating DNS messages containing a lot of DNSSEC signatures could
|
||||
cause excessive CPU load, leading to a denial-of-service condition.
|
||||
This has been fixed. :cve:`2023-50387`
|
||||
|
||||
ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
|
||||
and Michael Waidner from the German National Research Center for
|
||||
Applied Cybersecurity ATHENE for bringing this vulnerability to our
|
||||
attention. :gl:`#4424`
|
||||
|
||||
- Parsing DNS messages with many different names could cause excessive
|
||||
CPU load. This has been fixed. :cve:`2023-4408`
|
||||
|
||||
ISC would like to thank Shoham Danino from Reichman University, Anat
|
||||
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
|
||||
University, and Yuval Shavitt from Tel-Aviv University for bringing
|
||||
this vulnerability to our attention. :gl:`#4234`
|
||||
|
||||
- Specific queries could cause :iscman:`named` to crash with an
|
||||
assertion failure when :any:`nxdomain-redirect` was enabled. This has
|
||||
been fixed. :cve:`2023-5517` :gl:`#4281`
|
||||
|
||||
- A bad interaction between DNS64 and serve-stale could cause
|
||||
:iscman:`named` to crash with an assertion failure, when both of these
|
||||
features were enabled. This has been fixed. :cve:`2023-5679`
|
||||
:gl:`#4334`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- :iscman:`named-compilezone` no longer performs zone integrity checks
|
||||
by default; this allows faster conversion of a zone file from one
|
||||
format to another. :gl:`#4364`
|
||||
|
||||
Zone checks can be performed by running :iscman:`named-checkzone`
|
||||
separately, or the previous default behavior can be restored by using:
|
||||
|
||||
::
|
||||
|
||||
named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- The counters exported via the statistics channel were changed back to
|
||||
64-bit signed values; they were being inadvertently truncated to
|
||||
unsigned 32-bit values since BIND 9.15.0. :gl:`#4467`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- There are no new known issues with this release. See :ref:`above
|
||||
<relnotes_known_issues>` for a list of all known issues affecting this
|
||||
BIND 9 branch.
|
||||
@ -1,31 +0,0 @@
|
||||
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
..
|
||||
.. SPDX-License-Identifier: MPL-2.0
|
||||
..
|
||||
.. This Source Code Form is subject to the terms of the Mozilla Public
|
||||
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
..
|
||||
.. See the COPYRIGHT file distributed with this work for additional
|
||||
.. information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.19.21
|
||||
----------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- Validating DNS messages containing a lot of DNSSEC signatures could
|
||||
cause excessive CPU load, leading to a denial-of-service condition.
|
||||
This has been fixed. :cve:`2023-50387`
|
||||
|
||||
ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
|
||||
and Michael Waidner from the German National Research Center for
|
||||
Applied Cybersecurity ATHENE. :gl:`#4424`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- There are no new known issues with this release. See :ref:`above
|
||||
<relnotes_known_issues>` for a list of all known issues affecting this
|
||||
BIND 9 branch.
|
||||
Loading…
x
Reference in New Issue
Block a user