From 88c6b4e7af0563ca1092abb4ffeb2cbe0c76e768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 24 Sep 2021 09:58:47 +0200 Subject: [PATCH] Add CHANGES and release note for [GL #2899] --- CHANGES | 6 +++++- doc/notes/notes-current.rst | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 469572de24..054e1246d3 100644 --- a/CHANGES +++ b/CHANGES @@ -65,7 +65,11 @@ 5737. [bug] Address Coverity warning in lib/dns/dnssec.c. [GL #2935] -5736. [placeholder] +5736. [security] The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could + previously be abused by an attacker to significantly + degrade resolver performance. (CVE-2021-25219) + [GL #2899] 5735. [cleanup] The result codes which BIND 9 uses internally are now all defined as a single list of enum values rather than diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index b7f8f0e08b..f38347a0e4 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -14,7 +14,21 @@ Notes for BIND 9.17.18 Security Fixes ~~~~~~~~~~~~~~ -- None. +- The ``lame-ttl`` option controls how long ``named`` caches certain + types of broken responses from authoritative servers (see the + `security advisory `_ for + details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of ``lame-ttl`` to ``0`` and + overriding any explicitly set value with ``0``, effectively disabling + this mechanism altogether. ISC's testing has determined that doing + that has a negligible impact on resolver performance while also + preventing abuse. Administrators may observe more traffic towards + servers issuing certain types of broken responses than in previous + BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. :gl:`#2899` Known Issues ~~~~~~~~~~~~