#
497bf0b8 |
| 23-Sep-2022 |
christos <christos@NetBSD.org> |
Import 9.16.33; last imported was 9.16.20
--- 9.16.33 released ---
5962. [security] Fix memory leak in EdDSA verify processing. (CVE-2022-38178) [GL #3487]
5961. [security] Fix memory leak in
Import 9.16.33; last imported was 9.16.20
--- 9.16.33 released ---
5962. [security] Fix memory leak in EdDSA verify processing. (CVE-2022-38178) [GL #3487]
5961. [security] Fix memory leak in ECDSA verify processing. (CVE-2022-38177) [GL #3487]
5960. [security] Fix serve-stale crash that could happen when stale-answer-client-timeout was set to 0 and there was a stale CNAME in the cache for an incoming query. (CVE-2022-3080) [GL #3517]
5957. [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795) [GL #3394]
5956. [func] Make RRL code treat all QNAMEs that are subject to wildcard processing within a given zone as the same name. [GL #3459]
5955. [port] The libxml2 library has deprecated the usage of xmlInitThreads() and xmlCleanupThreads() functions. Use xmlInitParser() and xmlCleanupParser() instead. [GL #3518]
5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008 conversion fails. [GL #3485]
5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add mctx attach/detach pair to make sure that the memory context used by a memory pool is not destroyed before the memory pool itself. [GL #3515]
5952. [bug] Use quotes around address strings in YAML output. [GL #3511]
5951. [bug] In some cases, the dnstap query_message field was erroneously set when logging response messages. [GL #3501]
5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing dns_db_detachnode() call. [GL #3500]
5945. [bug] If parsing /etc/bind.key failed, delv could assert when trying to parse the built in trust anchors as the parser hadn't been reset. [GL !6468]
5942. [bug] Fix tkey.c:buildquery() function's error handling by adding the missing cleanup code. [GL #3492]
5941. [func] Zones with dnssec-policy now require dynamic DNS or inline-siging to be configured explicitly. [GL #3381]
5936. [bug] Don't enable serve-stale for lookups that error because it is a duplicate query or a query that would be dropped. [GL #2982]
--- 9.16.32 released ---
5934. [func] Improve fetches-per-zone fetch limit logging to log the final allowed and spilled values of the fetch counters before the counter object gets destroyed. [GL #3461]
5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in named on Fedorda 33, Oracle Linux 9 and RHEL9 when they are disabled by the security policy. [GL #3469]
5932. [bug] Fix rndc dumpdb -expired and always include expired RRsets, not just for RBTDB_VIRTUAL time window. [GL #3462]
5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was not fully effective; it was used for timing key rollovers but did not actually place an upper limit on TTLs when loading a zone. This has been corrected, and the documentation has been clarified to indicate that the old "max-zone-ttl" zone option is now ignored when "dnssec-policy" is in use. [GL #2918]
5924. [func] When it's necessary to use AXFR to respond to an IXFR request, a message explaining the reason is now logged at level info. [GL #2683]
5923. [bug] Fix inheritance for dnssec-policy when checking for inline-signing. [GL #3438]
5922. [bug] Forwarding of UPDATE message could fail with the introduction of netmgr. This has been fixed. [GL #3389]
--- 9.16.31 released ---
5917. [bug] Update ifconfig.sh script as is miscomputed interface identifiers when destroying interfaces. [GL #3061]
5915. [bug] Detect missing closing brace (}) and computational overflows in $GENERATE directives. [GL #3429]
5913. [bug] Fix a race between resolver query timeout and validation in resolver.c:validated(). Remove resolver.c:maybe_destroy() as it is no loger needed. [GL #3398]
5909. [bug] The server-side destination port was missing from dnstap captures of client traffic. [GL #3309]
5905. [bug] When the TCP connection would be closed/reset between the connect/accept and the read, the uv_read_start() return value would be unexpected and cause an assertion failure. [GL #3400]
5903. [bug] When named checks that the OPCODE in a response matches that of the request, if there is a mismatch named logs an error. Some of those error messages incorrectly used RCODE instead of OPCODE to lookup the nemonic. This has been corrected. [GL !6420]
--- 9.16.30 released ---
5899. [func] Don't try to process DNSSEC-related and ZONEMD records in catz. [GL #3380]
5890. [bug] When the fetches-per-server quota was adjusted because of an authoritative server timing out more or less frequently, it was incorrectly set to 1 rather than the intended value. This has been fixed. [GL #3327]
5888. [bug] Only write key files if the dnssec-policy keymgr has changed the metadata. [GL #3302]
5823. [func] Replace hazard pointers based lock-free list with locked-list based queue that's simpler and has no or little performance impact. [GL #3180]
--- 9.16.29 released ---
5885. [bug] RPZ NSIP and NSDNAME rule processing didn't handle stub and static-stub zones at or above the query name. This has now been addressed. [GL #3232]
5881. [bug] dig +nssearch could hang in rare cases when recv_done() callback was being called earlier than send_done(). [GL #3278]
5880. [func] Add new named command-line option -C to print built-in defaults. [GL #1326]
5879. [contrib] dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
5874. [bug] keymgr didn't work with python 3.11. [GL !6157]
5866. [bug] Work around a jemalloc quirk which could trigger an out-of-memory condition in named over time. [GL #3287]
5863. [bug] If there was a pending negative cache DS entry, validations depending upon it could fail. [GL #3279]
5858. [bug] Don't remove CDS/CDNSKEY DELETE records on zone sign when using 'auto-dnssec maintain;'. [GL #2931]
--- 9.16.28 released ---
5856. [bug] The "starting maxtime timer" message related to outgoing zone transfers was incorrectly logged at the ERROR level instead of DEBUG(1). [GL #3208]
5852. [func] Add new "reuseport" option to enable/disable load balancing of sockets. [GL #3249]
5843. [bug] When an UPDATE targets a zone that is not configured, the requested zone name is now logged in the "not authoritative" error message, so that it is easier to track down problematic update clients. [GL #3209]
5836. [bug] Quote the dns64 prefix in error messages that complain about problems with it, to avoid confusion with the following dns64 ACLs. [GL #3210]
5834. [cleanup] C99 variable-length arrays are difficult to use safely, so avoid them except in test code. [GL #3201]
5828. [bug] Replace single TCP write timer with per-TCP write timers. [GL #3200]
5824. [bug] Invalid dnssec-policy definitions were being accepted where the defined keys did not cover both KSK and ZSK roles for a given algorithm. This is now checked for and the dnssec-policy is rejected if both roles are not present for all algorithms in use. [GL #3142]
--- 9.16.27 released ---
5818. [security] A synchronous call to closehandle_cb() caused isc__nm_process_sock_buffer() to be called recursively, which in turn left TCP connections hanging in the CLOSE_WAIT state blocking indefinitely when out-of-order processing was disabled. (CVE-2022-0396) [GL #3112]
5817. [security] The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220) [GL #2950]
5816. [bug] Make BIND compile with LibreSSL 3.5.0, as it was using not very accurate pre-processor checks for using shims. [GL #3172]
5815. [bug] If an oversized key name of a specific length was used in the text form of an HTTP or SVBC record, an INSIST could be triggered when parsing it. [GL #3175]
5814. [bug] The RecursClients statistics counter could underflow in certain resolution scenarios. [GL #3147]
5811. [bug] Reimplement the maximum and idle timeouts for outgoing zone transfers. [GL #1897]
5807. [bug] Add a TCP "write" timer, and time out writing connections after the "tcp-idle-timeout" period has elapsed. [GL #3132]
5804. [func] Add a debug log message when starting and ending the task exclusive mode. [GL #3137]
--- 9.16.26 released ---
5801. [bug] Log "quota reached" message when hard quota is reached when accepting a connection. [GL #3125]
5800. [func] Add ECS support to the DLZ interface. [GL #3082]
5797. [bug] A failed view configuration during a named reconfiguration procedure could cause inconsistencies in BIND internal structures, causing a crash or other unexpected errors. [GL #3060]
5795. [bug] rndc could crash when interrupted by a signal before receiving a response. [GL #3080]
5793. [bug] Correctly detect and enable UDP recvmmsg support in all versions of libuv that support it. [GL #3095]
--- 9.16.25 released ---
5789. [bug] Allow replacing expired zone signatures with signatures created by the KSK. [GL #3049]
5788. [bug] An assertion could occur if a catalog zone event was scheduled while the task manager was being shut down. [GL #3074]
5787. [doc] Update 'auto-dnssec' documentation, it may only be activated at zone level. [GL #3023]
5786. [bug] Defer detaching from zone->raw in zone_shutdown() if the zone is in the process of being dumped to disk, to ensure that the unsigned serial number information is always written in the raw-format header of the signed version on an inline-signed zone. [GL #3071]
5785. [bug] named could leak memory when two dnssec-policy clauses had the same name. named failed to log this error. [GL #3085]
5776. [bug] Add a missing isc_condition_destroy() for nmsocket condition variable and add missing isc_mutex_destroy() for nmworker lock. [GL #3051]
5676. [func] Memory use in named was excessive. This has been addressed by: - Replacing locked memory pools with normal memory allocations. - Reducing the number of retained free items in unlocked memory pools. - Disabling the internal allocator by default. "named -M internal" turns it back on. [GL #2398]
--- 9.16.24 released ---
5773. [func] Change the message when accepting TCP connection has failed to say "Accepting TCP connection failed" and change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA and ISC_R_SOFTQUOTA results codes from ERROR to INFO. [GL #2700]
5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853]
5764. [bug] dns_sdlz_putrr failed to process some valid resource records. [GL #3021]
5762. [bug] Fix a "named" crash related to removing and restoring a `catalog-zone` entry in the configuration file and running `rndc reconfig`. [GL #1608]
5758. [bug] mdig now honors the operating system's preferred ephemeral port range. [GL #2374]
5757. [test] Replace sed in nsupdate system test with awk to construct the nsupdate command. The sed expression was not reliably changing the ttl. [GL #3003]
--- 9.16.23 released ---
5752. [bug] Fix an assertion failure caused by missing member zones during a reload of a catalog zone. [GL #2308]
5750. [bug] Fix a bug when comparing two RSA keys. There was a typo which caused the "p" prime factors to not being compared. [GL #2972]
5737. [bug] Address Coverity warning in lib/dns/dnssec.c. [GL #2935]
--- 9.16.22 released ---
5736. [security] The "lame-ttl" option is now forcibly set to 0. This effectively disables the lame server cache, as it could previously be abused by an attacker to significantly degrade resolver performance. (CVE-2021-25219) [GL #2899]
5724. [bug] Address a potential deadlock when checking zone content consistency. [GL #2908]
5723. [bug] Change 5709 broke backward compatibility for the "check-names master ..." and "check-names slave ..." options. This has been fixed. [GL #2911]
5720. [contrib] Old-style DLZ drivers that had to be enabled at build-time have been marked as deprecated. [GL #2814]
5719. [func] The "map" zone file format has been marked as deprecated. [GL #2882]
5717. [func] The "cache-file" option, which was documented as "for testing purposes only" and not to be used, has been removed. [GL #2903]
5716. [bug] Multiple library names were mistakenly passed to the krb5-config utility when ./configure was invoked with the --with-gssapi=[/path/to/]krb5-config option. This has been fixed by invoking krb5-config separately for each required library. [GL #2866]
5715. [func] Add a check for ports specified in "*-source(-v6)" options clashing with a global listening port. Such a configuration was already unsupported, but it failed silently; it is now treated as an error. [GL #2888]
5714. [bug] Remove the "adjust interface" mechanism which was responsible for setting up listeners on interfaces when the "*-source(-v6)" address and port were the same as the "listen-on(-v6)" address and port. Such a configuration is no longer supported; under certain timing conditions, that mechanism could prevent named from listening on some TCP ports. This has been fixed. [GL #2852]
5712. [doc] Add deprecation notice about removing native PKCS#11 support in the next major BIND 9 release. [GL #2691]
--- 9.16.21 released ---
5711. [bug] "map" files exceeding 2GB in size failed to load due to a size comparison that incorrectly treated the file size as a signed integer. [GL #2878]
5710. [port] win32: incorrect parentheses resulted in the wrong sizeof() tests being used to pick the appropriate Windows atomic operations for the object's size. [GL #2891]
5709. [cleanup] Enum values throughout the code have been updated to use the terms "primary" and "secondary" instead of "master" and "slave", respectively. [GL #1944]
5708. [bug] The thread-local isc_tid_v variable was not properly initialized when running BIND 9 as a Windows Service, leading to a crash on startup. [GL #2837]
5705. [bug] Change #5686 altered the internal memory structure of zone databases, but neglected to update the MAPAPI value for zone files in "map" format. This caused named to attempt to load incompatible map files, triggering an assertion failure on startup. The MAPAPI value has now been updated, so named rejects outdated files when encountering them. [GL #2872]
5704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be ignored inadvertently in client requests. It has now been fixed and this option is handled properly again. [GL #1927]
5701. [bug] named-checkconf failed to detect syntactically invalid values of the "key" and "tls" parameters used to define members of remote server lists. [GL #2461]
5700. [bug] When a member zone was removed from a catalog zone, journal files for the former were not deleted. [GL #2842]
5699. [func] Data structures holding DNSSEC signing statistics are now grown and shrunk as necessary upon key rollover events. [GL #1721]
5698. [bug] When a DNSSEC-signed zone which only has a single signing key available is migrated to use KASP, that key is now treated as a Combined Signing Key (CSK). [GL #2857]
5696. [protocol] Support for HTTPS and SVCB record types has been added. (This does not include ADDITIONAL section processing for these record types, only basic support for RR type parsing and printing.) [GL #1132]
5694. [bug] Stale data in the cache could cause named to send non-minimized queries despite QNAME minimization being enabled. [GL #2665]
5691. [bug] When a dynamic zone was made available in another view using the "in-view" statement, running "rndc freeze" always reported an "already frozen" error even though the zone was successfully frozen. [GL #2844]
5690. [func] dnssec-signzone now honors Predecessor and Successor metadata found in private key files: if a signature for an RRset generated by the inactive predecessor exists and does not need to be replaced, no additional signature is now created for that RRset using the successor key. This enables dnssec-signzone to gradually replace RRSIGs during a ZSK rollover. [GL #1551]
show more ...
|
#
c427c93a |
| 29-Apr-2021 |
christos <christos@NetBSD.org> |
Import bind-9.16.15 Changes since bind-9.16.12:
--- 9.16.15 released ---
5621. [bug] Due to a backporting mistake in change 5609, named binaries built against a Kerberos/GSSAPI library whose
Import bind-9.16.15 Changes since bind-9.16.12:
--- 9.16.15 released ---
5621. [bug] Due to a backporting mistake in change 5609, named binaries built against a Kerberos/GSSAPI library whose header files did not define the GSS_SPNEGO_MECHANISM preprocessor macro were not able to start if their configuration included the "tkey-gssapi-credential" option. This has been fixed. [GL #2634]
5620. [bug] If zone journal files written by BIND 9.16.11 or earlier were present when BIND was upgraded, the zone file for that zone could have been inadvertently rewritten with the current zone contents. This caused the original zone file structure (e.g. comments, $INCLUDE directives) to be lost, although the zone data itself was preserved. This has been fixed. [GL #2623]
--- 9.16.14 released ---
5617. [security] A specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO. (CVE-2021-25216) [GL #2604]
5616. [security] named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. (CVE-2021-25215) [GL #2540]
5615. [security] Insufficient IXFR checks could result in named serving a zone without an SOA record at the apex, leading to a RUNTIME_CHECK assertion failure when the zone was subsequently refreshed. This has been fixed by adding an owner name check for all SOA records which are included in a zone transfer. (CVE-2021-25214) [GL #2467]
5614. [bug] Ensure all resources are properly cleaned up when a call to gss_accept_sec_context() fails. [GL #2620]
5613. [bug] It was possible to write an invalid transaction header in the journal file for a managed-keys database after upgrading. This has been fixed. Invalid headers in existing journal files are detected and named is able to recover from them. [GL #2600]
5611. [func] Set "stale-answer-client-timeout" to "off" by default. [GL #2608]
5610. [bug] Prevent a crash which could happen when a lookup triggered by "stale-answer-client-timeout" was attempted right after recursion for a client query finished. [GL #2594]
5609. [func] The ISC implementation of SPNEGO was removed from BIND 9 source code. It was no longer necessary as all major contemporary Kerberos/GSSAPI libraries include support for SPNEGO. [GL #2607]
5608. [bug] When sending queries over TCP, dig now properly handles "+tries=1 +retry=0" by not retrying the connection when the remote server closes the connection prematurely. [GL #2490]
5607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover" commands may affect the next scheduled key event, reconfiguration of zone keys is now triggered after receiving either of these commands to prevent unnecessary key rollover delays. [GL #2488]
5606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone transitions from a secure to an insecure state. named-checkzone also no longer reports an error when such records are found in an unsigned zone. [GL #2517]
5605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for more accurate time reporting. [GL #2592]
5603. [bug] Fix a memory leak that occurred when named failed to bind a UDP socket to a network interface. [GL #2575]
5602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This makes the "tcp-initial-timeout" and "tcp-idle-timeout" options work correctly again. [GL #2583]
5601. [bug] Zones using KASP could not be thawed after they were frozen using "rndc freeze". This has been fixed. [GL #2523]
--- 9.16.13 released ---
5597. [bug] When serve-stale was enabled and starting the recursive resolution process for a query failed, a named instance could crash if it was configured as both a recursive and authoritative server. This problem was introduced by change 5573 and has now been fixed. [GL #2565]
5595. [cleanup] Public header files for BIND 9 libraries no longer directly include third-party library headers. This prevents the need to include paths to third-party header files in CFLAGS whenever BIND 9 public header files are used, which could cause build-time issues on hosts with older versions of BIND 9 installed. [GL #2357]
5594. [bug] Building with --enable-dnsrps --enable-dnsrps-dl failed. [GL #2298]
5593. [bug] Journal files written by older versions of named can now be read when loading zones, so that journal incompatibility does not cause problems on upgrade. Outdated journals are updated to the new format after loading. [GL #2505]
5592. [bug] Prevent hazard pointer table overflows on machines with many cores, by allowing the thread IDs (serving as indices into hazard pointer tables) of finished threads to be reused by those created later. [GL #2396]
5591. [bug] Fix a crash that occurred when "stale-answer-client-timeout" was triggered without any (stale) data available in the cache to answer the query. [GL #2503]
5590. [bug] NSEC3 records were not immediately created for dynamic zones using NSEC3 with "dnssec-policy", resulting in such zones going bogus. Add code to process the NSEC3PARAM queue at zone load time so that NSEC3 records for such zones are created immediately. [GL #2498]
5588. [func] Add a new "purge-keys" option for "dnssec-policy". This option determines the period of time for which key files are retained after they become obsolete. [GL #2408]
5586. [bug] An invalid direction field in a LOC record resulted in an INSIST failure when a zone file containing such a record was loaded. [GL #2499]
5584. [bug] No longer set the IP_DONTFRAG option on UDP sockets, to prevent dropping outgoing packets exceeding "max-udp-size". [GL #2466]
5582. [bug] BIND 9 failed to build when static OpenSSL libraries were used and the pkg-config files for libssl and/or libcrypto were unavailable. This has been fixed by ensuring that the correct linking order for libssl and libcrypto is always used. [GL #2402]
5581. [bug] Fix a memory leak that occurred when inline-signed zones were added to the configuration, followed by a reconfiguration of named. [GL #2041]
5580. [test] The system test framework no longer differentiates between SKIPPED and UNTESTED system test results. Any system test which is not run is now marked as SKIPPED. [GL !4517]
5573. [func] When serve-stale is enabled and stale data is available, named now returns stale answers upon encountering any unexpected error in the query resolution process. However, the "stale-refresh-time" window is still only started upon a timeout. [GL #2434]
5564. [cleanup] Network manager's TLSDNS module was refactored to use libuv and libssl directly instead of a stack of TCP/TLS sockets. [GL #2335]
show more ...
|