1497bf0b8Schristos.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2497bf0b8Schristos.. 3497bf0b8Schristos.. SPDX-License-Identifier: MPL-2.0 4497bf0b8Schristos.. 5497bf0b8Schristos.. This Source Code Form is subject to the terms of the Mozilla Public 6497bf0b8Schristos.. License, v. 2.0. If a copy of the MPL was not distributed with this 7497bf0b8Schristos.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8497bf0b8Schristos.. 9497bf0b8Schristos.. See the COPYRIGHT file distributed with this work for additional 10497bf0b8Schristos.. information regarding copyright ownership. 11497bf0b8Schristos 12497bf0b8SchristosNotes for BIND 9.16.27 13497bf0b8Schristos---------------------- 14497bf0b8Schristos 15497bf0b8SchristosSecurity Fixes 16497bf0b8Schristos~~~~~~~~~~~~~~ 17497bf0b8Schristos 18497bf0b8Schristos- The rules for acceptance of records into the cache have been tightened 19497bf0b8Schristos to prevent the possibility of poisoning if forwarders send records 20497bf0b8Schristos outside the configured bailiwick. (CVE-2021-25220) 21497bf0b8Schristos 22497bf0b8Schristos ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from 23497bf0b8Schristos Network and Information Security Lab, Tsinghua University, and 24497bf0b8Schristos Changgen Zou from Qi An Xin Group Corp. for bringing this 25497bf0b8Schristos vulnerability to our attention. :gl:`#2950` 26497bf0b8Schristos 27497bf0b8Schristos- TCP connections with ``keep-response-order`` enabled could leave the 28497bf0b8Schristos TCP sockets in the ``CLOSE_WAIT`` state when the client did not 29497bf0b8Schristos properly shut down the connection. (CVE-2022-0396) :gl:`#3112` 30497bf0b8Schristos 31497bf0b8SchristosFeature Changes 32497bf0b8Schristos~~~~~~~~~~~~~~~ 33497bf0b8Schristos 34497bf0b8Schristos- DEBUG(1)-level messages were added when starting and ending the BIND 9 35497bf0b8Schristos task-exclusive mode that stops normal DNS operation (e.g. for 36497bf0b8Schristos reconfiguration, interface scans, and other events that require 37497bf0b8Schristos exclusive access to a shared resource). :gl:`#3137` 38497bf0b8Schristos 39497bf0b8SchristosBug Fixes 40497bf0b8Schristos~~~~~~~~~ 41497bf0b8Schristos 42497bf0b8Schristos- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options 43497bf0b8Schristos were not implemented when the BIND 9 networking stack was refactored 44497bf0b8Schristos in 9.16. The missing functionality has been re-implemented and 45497bf0b8Schristos outgoing zone transfers now time out properly when not progressing. 46497bf0b8Schristos :gl:`#1897` 47497bf0b8Schristos 48497bf0b8Schristos- TCP connections could hang indefinitely if the other party did not 49497bf0b8Schristos read sent data, causing the TCP write buffers to fill. This has been 50497bf0b8Schristos fixed by adding a "write" timer. Connections that are hung while 51497bf0b8Schristos writing now time out after the ``tcp-idle-timeout`` period has 52497bf0b8Schristos elapsed. :gl:`#3132` 53497bf0b8Schristos 54497bf0b8Schristos- The statistics counter representing the current number of clients 55497bf0b8Schristos awaiting recursive resolution results (``RecursClients``) could be 56497bf0b8Schristos miscalculated in certain resolution scenarios, potentially causing the 57497bf0b8Schristos value of the counter to drop below zero. This has been fixed. 58497bf0b8Schristos :gl:`#3147` 59*4bcbe0a3Schristos 60*4bcbe0a3SchristosKnown Issues 61*4bcbe0a3Schristos~~~~~~~~~~~~ 62*4bcbe0a3Schristos 63*4bcbe0a3Schristos- There are no new known issues with this release. See :ref:`above 64*4bcbe0a3Schristos <relnotes_known_issues>` for a list of all known issues affecting this 65*4bcbe0a3Schristos BIND 9 branch. 66