Import dhcp-4.4.3
Changes since 4.4.2-P1 (New Features)

- Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
and `dhcpctl_timed_wait_for_completion()`. These provide timed
vers

Import dhcp-4.4.3
Changes since 4.4.2-P1 (New Features)

- Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
and `dhcpctl_timed_wait_for_completion()`. These provide timed
versions of creating a connection and waiting for an operation
to complete.
[GitLab #76]

- The BIND libraries have been updated to the latest version, 9.11.36.
This fixes a number of compilation issues on various systems, including
OpenWRT. Thanks to Philip Prindeville for testing on OpenWRT.
[GitLab #218, #171, #180, #192]

- Support was added for the new DHCPv4 option v6-only-preferred, specified
in RFC 8925. A new reason code, V6ONLY, was added to the client script
and the client Linux script sample was updated.
[GitLab #132]

Changes since 4.4.2-P1 (Bug Fixes)

- Minor corrections were made to allow compilation under gcc 10.
[GitLab #117]

- The logic in dhclient that causes it to decline DHCPv4 leases if the
client script exits abnormally (i.e. crashes) has been corrected.
[GitLab #123]

- The limit on the size of a lease file that can be loaded at startup
is now only enforced on 32-bit systems.
[GitLab #92]

- The PRNG initialization has been improved. It now uses the configure flag
`--with-randomdev=PATH`, which specifies the device from which to read the
initial seed. That is typically `/dev/random` (the default value) or
`/dev/urandom`, but may be specified otherwise on the local system. The old
behavior can be forced by disabling this feature (`--with-randomdev=no`).
If the initialization is disabled or reading from the random device fails,
the previous algorithm (retrieve the last four bytes of hardware addresses
from all network interfaces that have them, and use the current time and
process ID) is used.
[GitLab #197]

- A minor dhclient code fix was made to remove compilation warnings.
[GitLab #190]

- The hard-coded MD5 algorithm name was removed in OMAPI connection logic.
Previously, using any other algorithm via a key-algorithm statement would
allow OMAPI connections to be made, but subsequent actions such as updating
an object would fail.
[GitLab #148]

- The parallel build has been improved. Thanks to Sergei Trofimovich for
the patch. The parallel build is still experimental, as officially the
BIND 9 code does not support the parallel build for libraries.
[GitLab #91]

- Handling of LDAP options (`ldap-gssapi-principal` and `ldap-gssapi-keytab`)
has been improved. This is contributed code that has not been tested by ISC.
Thank you to Petr Mensik and Pavel Zhukov for the patches!
[GitLab !56,!75]

- It is now possible to use `option -g ipaddr` in the dhcrelay to replace the
giaddr sent to clients with the given ipaddr, to work around bogus clients
like Solaris 11 grub which use giaddr instead of the announced router (3)
to set up their default route. Thanks to Jens Elkner for the patch!
[GitLab #223, !86, !92]

show more ...

Import dhcp-4.4.2-P1:
! Corrected a buffer overwrite possible when parsing hexadecimal
literals with more than 1024 octets. Reported by Jon Franklin from Dell,
and also by Pawel Wieczorkiewicz

Import dhcp-4.4.2-P1:
! Corrected a buffer overwrite possible when parsing hexadecimal
literals with more than 1024 octets. Reported by Jon Franklin from Dell,
and also by Pawel Wieczorkiewicz from Amazon Web Services.
[Gitlab #182]
CVE: CVE-2021-25217

show more ...

Internet Systems Consortium DHCP Distribution
Version 4.4.2
22 January 2020
Release Notes

Internet Systems Consortium DHCP Distribution
Version 4.4.2
22 January 2020
Release Notes

NEW FEATURES

Please note that that ISC DHCP is now licensed under the Mozilla Public License,
MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read the MPL 2.0
license terms.

While release 4.4.2 is primarily a maintenance release that addresses a number
of defects, it does introduce a few new features:

- Keama - Keama is a migration utility that assists in converting ISC DHCP
server configuration files to Kea configuration files. It is found in the
keama subdirectory and includes a README.md file with instructions on how
to build it as well as a manpage on its usage.

- Two new server parameters related to ping checking were added:

1. ping-cltt-secs which allows the user to specify the number of seconds
that must elapse since CLTT before a ping check is conducted.

2. ping-timeout-ms which allows the user to specify the amount of time the
server waits for a ping-check response in milliseconds rather than in
seconds.

In general, the areas of focus for ISC DHCP 4.4 were:

1. Dynamic DNS additions
2. dhclient improvements
3. Support for dynamic shared libraries

Dynamic DNS Improvements:

- We added three new server configuration parameters which influence DDNS
conflict resolution:

1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
to mitigate issues with non-compliant clients in dual stack environments.

2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
requirement of DNS conflict resolution.

3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to
allow unguarded DNS entries to be overwritten in certain cases

- The server now honors update-static-leases parameter for static DHCPv6
hosts.

dhclient Improvements:

- We've added three command line parameters to dhclient:

1. --prefix-len-hint - directs dhclient to use the given length as
the prefix length hint when requesting prefixes

2. --decline-wait-time - instructs the client to wait the given number
of seconds after declining an IPv4 address before issuing a discover

3. --address-prefix-len - specifies the prefix length passed by dhclient
into the client script (via the environment variable ip6_prefixlen) with
each IPv6 address. We added this parameter because we have changed the
default value from 64 to 128 in order to be compliant with RFC3315bis
draft (-09, page 64) and RFC5942, Section 4, point 1.
**WARNING**: The new default value of 128 may not be backwardly compatible
with your environment. If you are operating without a router, such as
between VMs on a host, you may find they cannot see each other with prefix
length of 128. In such cases, you'll need to either provide routing or use
the command line parameter to set the value to 64. Alternatively you may
change the default at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN
in includes/site.h.

- dhclient will now generate a DHCPv6 DECLINE message when the client script
indicates a DAD failure

Dynamic shared library support:

Configure script, configure.ac+lt, which supports libtool is now provided
with the source tar ball. This script can be used to configure ISC DHCP
to build with libtool and thus use dynamic shared libraries.

Other Highlights:

- The server now supports dhcp-cache-threshold for DHCPv6 operations
- The server now supports DHPv6 address allocation based on EUI-64 DUIDs
- Experimental support for alternate relay port in the both the server
and relay for IPv4, IPv6 and 4o6 (see: draft-ietf-dhc-relay-port-10.txt)

For information on how to install, configure and run this software, as
well as how to find documentation and report bugs, please consult the
README file.

ISC DHCP uses standard GNU configure for installation. Please review the
output of "./configure --help" to see what options are available.

The system has only been tested on Linux, FreeBSD, and Solaris, and may not
work on other platforms. Please report any problems and suggested fixes to
<dhcp-users@isc.org>.

ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).

Changes since 4.4.2b1 (Bug Fixes)

- Added a clarification on DHCPINFORMs and server authority to
dhcpd.conf.5
[Gitlab #37]

- Only emit lease scrubbing log messages when DEBUG_FAILOVER_MESSAGES
is defined.
[Gitlab #72]

- Added the interface name to socket initialization failure log messages.
Prior to this the log messages stated only the error reason without
stating the target interface.
[Gitlab #75]

- Corrected buffer pointer logic in dhcrelay functions that manipulate
agent relay options. Thanks to Thomas Imbert of MSRC Vulnerabilities
& Mitigations for reporting the issue.
[#71]

- Corrected unresolved symbol errors building relay_unittests when
configured to build using libtool.
[#80]

Changes since 4.4.1 (New Features)

- A new configuration parameter, ping-cltt-secs (v4 operation only), has
been added to allow the user to specify the number of seconds that must
elapse since CLTT before a ping check is conducted. Prior to this, the
value was hard coded at 60 seconds. Please see the server man pages for
a more detailed discussion.
[ISC-Bugs #36283]

- A new configuration parameter, ping-timeout-ms (v4 operation only),
has been added that allows the user to specify the amount of time
the server waits for a ping-check response in milliseconds rather
than in seconds (via ping-timeout). When greater than zero, the value
of ping-timeout-ms will override the value of ping-timeout. Thanks
to Jay Doran from Bluecat Networks for suggesting this feature.
[Gitlab #10]

- An experimental tool called, Keama (KEA Migration Assistant), which helps
translate ISC DHCP configurations to Kea configurations, is now included
in the distribution.
[Gitlab #34]

Changes since 4.4.1 (Bug Fixes)

- Corrected a misuse of the BIND9 DDNS API which caused DDNS updates to be
carried out over TCP rather than UDP. The coding error was exposed by
migration to BIND9 9.11. Thanks to Jinmei Tatuya at Infoblox for
reporting the issue.
[ISC-Bugs #47757]

- Bind9 now defaults to requiring python to build. The Makefile for
building Bind9 when bundled with ISC DHCP was modified to turn off
this dependency.
[Gitlab #3]

- Corrected a dual-stack mixed-mode issue that occurs when both
ddns-guard-id-must-match and ddns-other-guard-is-dynamic
are enabled and that caused the server to incorrectly interpret
the presence of a guard record belonging to another client as
a case of no guard record at all. Thanks to Fernando Soto
from BlueCat Networks for reporting this issue.
[Gitlab #1]

- Corrected a compilation issue that occurred when building without DNS
update ability (e.g. by undefining NSUPDATE).
[Gitlab #16]

- Corrected an issue that was causing the server, when running in
DHPCv4 mode, to segfault when class lease limits are reached.
Thanks to Peter Nagy at Porion-Digital for reporting the matter
and submitting a patch.
[Gitlab #13]

- Made minor changes to eliminate warnings when compiled with GCC 9.
Thanks to Brett Neumeier for bringing the matter to our attention.
[Gitlab #15]

- Fixed potential memory leaks in parser error message generation
spotted by Coverity, CIDs: 1448191, 1448193, 1448194, 1448195
[Gitlab #30]

- Updated URL of IEEE oui.txt in contrib/dhcp-lease-list.pl. Thanks
to Tommy Smith for contributing the patch.
[Gitlab #26]

- Fixed define flags when using SO_BINDTODEVICE. Thanks to Joe LeVeque for
reporting the issue.
[GitLab #19]

- Applied a patch from OpenBSD to always set the scope id of outbound
DHPCv6 packets. Note this change only applies when compiling under
OpenBSD. Thanks to Brad Smith at OpenBSD from bringing it to our
attention.
[Gitlab #33]

- Modified dhclient to not discard config file leases that are
duplicates of server-provided leases and to retain such leases
after they have been used as the fallback active lease and
DHCP service has been restored. This allows them to be used
more than once during the lifetime of a dhclient instance.
This applies to DHCPv4 operation only.
[Gitlab #9]

- Corrected a number of reference counter and zero-length buffer leaks.
Thanks to Christopher Ertl of MSRC Vulnerabilities & Mitigations for
pointing them out.
[Gitlab #57]

- Closed a small window of time between the installation of graceful
shutdown signal handlers and application context startup, during which
the receipt of shutdown signal would cause a REQUIRE() assertion to
occur. Note this issue is only visible when compiling with
ENABLE_GENTLE_SHUTDOWN defined.
[Gitlab #53]

- Corrected a buffer overflow that can occur when retrieving zone
names that are more than 255 characters in length.
[Gitlab #20]

- The "d" domain name option format was incorrectly handled as text
instead of RFC 1035 wire format. Thanks to Jay Doran at BlueCat Networks
for reporting this issue.
[Gitlab #2]

- Improved the error message issued when a host declaration has both
a uid and a dhcp-client-identifier. Server configuration parsing will
now fail if a host declaration specifies more than one uid.
[Gitlab #7]

- Updated developer's documentation on building and running unit tests.
Removed support for --with-atf=bind as BIND9 no longer bundles in ATF
source.
[Gitlab #35]

- Fixed a syntax error in ldap.c which cropped up under Ubuntu
18.04.1/gcc 7.4.0. Thanks to Charles Hedrick for pointing it out.
[Gitlab #51]

- Added clarification to dhcp-options.5 section on ip-address values
describing the first-use DNS resolution of options with hostnames as
values (e.g. next-server).
[Gitlab #28]

- The option format for the server option omapi-key was changed to a
format type 'k' (key name); while server options ldap-port and
ldap-init-retry were changed to 'L' (unsigned 32-bit integer). These
three options were inadvertantly broken when the 'd' format content
was changed to comply with RFC 1035 wire format (see Gitlab #2).
[Gitlab #68]

show more ...