--- 9.11.37 released ---
5817. [security] The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside
the configured bailiwick. (CVE-2021-25220) [GL #2950]
--- 9.11.36 released ---
5736. [security] The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could
previously be abused by an attacker to significantly
degrade resolver performance. (CVE-2021-25219)
[GL #2899]
5716. [bug] Multiple library names were mistakenly passed to the
krb5-config utility when ./configure was invoked with
the --with-gssapi=[/path/to/]krb5-config option. This
has been fixed by invoking krb5-config separately for
each required library. [GL #2866]
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
--- 9.11.35 released ---
5685. [bug] named failed to check the opcode of responses when
performing zone refreshes, stub zone updates, and UPDATE
forwarding. This has been fixed. [GL #2762]
9.11.34
This maintenance release of BIND 9.11 contains no significant changes,
although some minor updates have been made (for example, to fix build issues
on Solaris 11).
Notes for BIND 9.11.32
Feature Changes
* DNSSEC responses containing NSEC3 records with iteration counts greater
than 150 are now treated as insecure. [GL #2445]
* The maximum supported number of NSEC3 iterations that can be configured
for a zone has been reduced to 150. [GL #2642]
* The implementation of the ZONEMD RR type has been updated to match RFC
8976. [GL #2658]
Security release.
--- 9.11.31 released ---
5621. [bug] Due to a backporting mistake in change 5609, named
binaries built against a Kerberos/GSSAPI library whose
header files did not define the GSS_SPNEGO_MECHANISM
preprocessor macro were not able to start if their
configuration included the "tkey-gssapi-credential"
option. This has been fixed. [GL #2634]
--- 9.11.30 released ---
5617. [security] A specially crafted GSS-TSIG query could cause a buffer
overflow in the ISC implementation of SPNEGO.
(CVE-2021-25216) [GL #2604]
5616. [security] named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query. (CVE-2021-25215) [GL #2540]
5615. [security] Insufficient IXFR checks could result in named serving a
zone without an SOA record at the apex, leading to a
RUNTIME_CHECK assertion failure when the zone was
subsequently refreshed. This has been fixed by adding an
owner name check for all SOA records which are included
in a zone transfer. (CVE-2021-25214) [GL #2467]
5614. [bug] Ensure all resources are properly cleaned up when a call
to gss_accept_sec_context() fails. [GL #2620]
5609. [func] The ISC implementation of SPNEGO was removed from BIND 9
source code. It was no longer necessary as all major
contemporary Kerberos/GSSAPI libraries include support
for SPNEGO. [GL #2607]
--- 9.11.29 released ---
5586. [bug] An invalid direction field in a LOC record resulted in
an INSIST failure when a zone file containing such a
record was loaded. [GL #2499]
- Changelog:
* Bug Fixes:
- Multiple threads could attempt to destroy a single RBTDB instance at the
same time, resulting in an unpredictable but low-probability assertion
failure in free_rbtdb(). This has been fixed. [GL #2317]
- Full changelog at:
https://downloads.isc.org/isc/bind9/9.11.27/RELEASE-NOTES-bind-9.11.27.html
Update bind911 to 9.11.26 (BIND 9.11.26) which is maintenance release.
--- 9.11.26 released ---
5544. [func] Restore the default value of "nocookie-udp-size" to 4096
bytes. [GL #2250]
5541. [func] Adjust the "max-recursion-queries" default from 75 to
100. [GL #2305]
5540. [port] Fix building with native PKCS#11 support for AEP Keyper.
[GL #2315]
5539. [bug] Tighten handling of missing DNS COOKIE responses over
UDP by falling back to TCP. [GL #2275]
5534. [bug] The CNAME synthesized from a DNAME was incorrectly
followed when the QTYPE was CNAME or ANY. [GL #2280]
Apply fix for man page problems as bind-announce post.
Message-ID: <467ff8dc-00a0-674f-3b09-ae0ebf8dd293@isc.org>
Subject: A fix is available for man page problems affecting the BIND 9.11.25 release (was Re: New BIND releases are available: 9.11.25, 9.16.9, and 9.17.7)
Date: Mon, 30 Nov 2020 01:51:28 -0900
From: Michael McNally <mcnally@isc.org>
To: bind-announce@lists.isc.org
Bump PKGREVISION.
Changes:
--- 9.11.25 released ---
5527. [bug] A NULL pointer dereference occurred when creating an NTA
recheck query failed. [GL #2244]
5523. [bug] The initial lookup in a zone transitioning to/from a
signed state could fail if the DNSKEY RRset was not
found. [GL #2236]
5518. [bug] Stub zones now work correctly with primary servers using
"minimal-responses yes". [GL #1736]
--- 9.11.24 released ---
5516. [func] The default EDNS buffer size has been changed from 4096
to 1232 bytes. [GL #2183]
5513. [doc] The ARM section describing the "rrset-order" statement
was rewritten to make it unambiguous and up-to-date with
the source code. [GL #2139]
5510. [bug] Implement the attach/detach semantics for dns_message_t
to fix a data race in accessing an already-destroyed
fctx->rmessage. [GL #2124]
5506. [bug] Properly handle failed sysconf() calls, so we don't
report invalid memory size. [GL #2166]
Update bind911 package to 9.11.23.
--- 9.11.23 released ---
5497. [bug] 'dig +bufsize=0' failed to disable EDNS. [GL #2054]
5496. [bug] Address a TSAN report by ensuring each rate limiter
object holds a reference to its task. [GL #2081]
5492. [bug] Tighten LOC parsing to reject a period (".") and/or "m"
as a value. Fix handling of negative altitudes which are
not whole meters. [GL #2074]
5489. [bug] Named erroneously accepted certain invalid resource
records that were incorrectly processed after
subsequently being written to disk and loaded back, as
the wire format differed. Such records include: CERT,
IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
X25. [GL !3953]
5488. [bug] NTA code needed to have a weak reference on its
associated view to prevent the latter from being deleted
while NTA tests were being performed. [GL #2067]
Update bind911 to 9.11.22 (BIND 9.11.22).
--- 9.11.22 released ---
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
overridden by other rules that were loaded from RPZ
zones which appeared later in the "response-policy"
statement. This has been fixed. [GL #1619]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
or trusted-keys if the bindkeys-file (bind.keys) cannot
be parsed. [GL #1235]
5463. [bug] Address a potential NULL pointer dereference when out of
memory in dnstap.c. [GL #2010]
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
Update bind911 to 9.11.20, fixing CVE-2020-8619.
--- 9.11.20 released ---
5437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr().
[GL #1808]
5434. [security] It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone
content and query patterns. (CVE-2020-8619) [GL #1111]
[GL #1718]
5433. [test] Prevent the resolver system test for change #5395
(max-recursion-queries) from failing on systems without
IPv6 support. [GL #1873]
5428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr
has been destroyed. Thanks to Petr Menšík. [GL !3316]
5427. [bug] Fix a regression in address/prefix length checking that
should have been a warning instead of an error.
[GL #1849]
5415. [test] Address race in dnssec system test that led to
test failures. [GL #1852]
5413. [test] Address race in autosign system test that led to
test failures. [GL #1852]
5412. [bug] 'provide-ixfr no;' failed to return up-to-date responses
when the serial was greater than or equal to the
current serial. [GL #1714]
5409. [performance] When looking up NSEC3 data in a zone database, skip the
check for empty non-terminal nodes; the NSEC3 tree does
not have any. [GL #1834]
5408. [protocol] Print Extended DNS Errors if present in OPT record.
[GL #1835]
5405. [bug] 'named-checkconf -p' could include spurious text in
server-addresses statements due to an uninitialized DSCP
value. [GL #1812]
There was build problem after pkg-config was aded to USE_TOOLS if
PKG_DEVELOPER is enabled, causing WRKDIR reference.
Fix method is dirty (or quick) hack.
Update bind911 to 9.11.19 (BIND 9.11.19).
--- 9.11.19 released ---
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
5398. [bug] Named could fail to restart if a zone with a double
quote (") in its name was added with 'rndc addzone'.
[GL #1695]
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5394. [cleanup] Named formerly attempted to change the effective UID and
GID in named_os_openfile(), which could trigger a
spurious log message if they were already set to the
desired values. This has been fixed. [GL #1042]
[GL #1090]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5387. [func] Warn about AXFR streams with inconsistent message IDs.
[GL #1674]
Update bind911 to 9.11.18 (BIND 9.11.18).
--- 9.11.18 released ---
5380. [contrib] Fix building MySQL DLZ modules against MySQL 8
libraries. [GL #1678]
5379. [doc] Clean up serve-stale related options that leaked into
the BIND 9.11 release. [GL !3265]
5378. [bug] Receiving invalid DNS data was triggering an assertion
failure in nslookup. [GL #1652]
5377. [feature] Detect atomic operations support on ppc64le. Thanks to
Petr Menšík. [GL !3295]
5376. [bug] Fix ineffective DNS rebinding protection when BIND is
configured as a forwarding DNS server. Thanks to Tobias
Klein. [GL #1574]
5368. [bug] Named failed to restart if 'rndc addzone' names
contained special characters (e.g. '/'). [GL #1655]
--- 9.11.17 released ---
5358. [bug] Inline master zones whose master files were touched
but otherwise unchanged and were subsequently reloaded
may have stopped re-signing. [GL !3135]
5357. [bug] Newly added RRSIG records with expiry times before
the previous earliest expiry times might not be
re-signed in time. The was a side effect of 5315.
[GL !3137]
Update bind911 to 9.11.16 (BIND 9.11.16).
--- 9.11.16 released ---
5353. [doc] Document port and dscp parameters in forwarders
configuration option. [GL #914]
5352. [bug] Correctly handle catalog zone entries containing
characters that aren't legal in filenames. [GL #1592]
5351. [bug] CDS / CDNSKEY consistency checks failed to handle
removal records. [GL #1554]
5350. [bug] When a view was configured with class CHAOS,
dns_view_findzonecut() could incorrectly return
success for non-existent records. [GL #1540]
5348. [bug] dnssec-settime -Psync was not being honoured.
[GL !2925]
Update bind911 to 9.11.15 (BIND 9.11.15).
--- 9.11.15 released ---
5339. [bug] With some libmaxminddb versions, named could erroneously
match an IP address not belonging to any subnet defined
in a given GeoIP2 database to one of the existing
entries in that database. [GL #1552]
5338. [bug] Fix line spacing in `rndc secroots`.
Thanks to Tony Finch. [GL !2478]
5337. [func] 'named -V' now reports maxminddb and protobuf-c
versions. [GL !2686]
Update bind911 to 9.11.14 (BIND 9.11.14).
--- 9.11.14 released ---
5330. [bug] 'configure --without-python' was ineffective if
PYTHON was set in the environment. [GL #1434]
5329. [bug] Reconfiguring named caused memory to be leaked when any
GeoIP2 database was in use. [GL #1445]
5328. [bug] rbtdb.c:rdataset_{get,set}ownercase failed to obtain
a node lock. [GL #1417]
5327. [func] Added a statistics counter to track queries
dropped because the recursive-clients quota was
exceeded. [GL #1399]
5326. [bug] Add python dependancy on 'distutils.core' to configure.
'distutils.core' is required for installation.
[GL #1397]
5322. [bug] Conditional compilation of lock_callback was
inconsistent with conditional use of the function
when forcing BIND to build with older and unsupported
versions of OpenSSL. [GL #1386]
5321. [bug] Obtain write lock before updating version->records
and version->bytes. [GL #1341]
Update bind911 to 9.11.3. It includes fix for CVS-2019-6477.
--- 9.11.13 released ---
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
when the server has been offline for prolonged
period of times. [GL #1256]
5314. [func] Added a new statistics variable "tcp-highwater"
that reports the maximum number of simultaneous TCP
clients BIND has handled while running. [GL #1206]
5313. [bug] The default GeoIP2 database location did not match
the ARM. 'named -V' now reports the default
location. [GL #1301]
5310. [bug] TCP failures were affecting EDNS statistics. [GL #1059]
5309. [bug] "geoip-use-ecs yes;" was not working for GeoIP2.
[GL #1275]
5308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal()
at ERROR level in receive_secure_serial(). [GL #1288]
5307. [bug] Fix hang when named-compilezone output is sent to pipe.
Thanks to Tony Finch. [GL !2481]
5306. [security] Set a limit on the number of concurrently served
pipelined TCP queries. (CVE-2019-6477) [GL #1264]
5302. [bug] Fix checking that "dnstap-output" is defined when
"dnstap" is specified in a view. [GL #1281]
5301. [bug] Detect partial prefixes / incomplete IPv4 address in
acls. [GL #1143]
Update bind911 to 9.11.12 (BIND 9.11.12). This is not security release.
--- 9.11.12 released ---
5296. [bug] Address various issues reported by cppcheck. [GL !2421]
5294. [func] Fallback to ACE name on output in locale, which does not
support converting it to unicode. [GL #846]
5293. [bug] On Windows, named crashed upon any attempt to fetch XML
statistics from it. [GL #1245]
5292. [bug] Queue 'rndc nsec3param' requests while signing inline
zone changes. [GL #1205]
Update bind911 to 9.11.10 (BIND 9.11.10).
--- 9.11.10 released ---
5275. [bug] Mark DS records included in referral messages
with trust level "pending" so that they can be
validated and cached immediately, with no need to
re-query. [GL #964]
5273. [bug] Check that bits [64..71] of a dns64 prefix are zero.
[GL #1159]
5269. [port] cygwin: can return ETIMEDOUT on connect() with a
non-blocking socket. [GL #1133]
5268. [bug] named could crash during configuration if
configured to use "geoip continent" ACLs with
legacy GeoIP. [GL #1163]
5266. [bug] named-checkconf failed to report dnstap-output
missing from named.conf when dnstap was specified.
[GL #1136]
5265. [bug] DNS64 and RPZ nodata (CNAME *.) rules interacted badly
[GL #1106]
5264. [func] New DNS Cookie algorithm - siphash24 - has been added to
BIND 9. [GL #605]
Update bind911 to 9.11.9.
--- 9.11.9 released ---
5260. [bug] dnstap-read was producing malformed output for large
packets. [GL #1093]
5258. [func] Added support for the GeoIP2 API from MaxMind,
when BIND is compiled using "configure --with-geoip2".
The legacy GeoIP API can be enabled by using
"configure --with-geoip" instead. These options
cannot be used together.
Certain geoip ACL settings that were available with
legacy GeoIP are not available when using GeoIP2.
See the ARM for details. [GL #182]
5257. [bug] Some statistics data was not being displayed.
Add shading to the zone tables. [GL #1030]
5256. [bug] Ensure that glue records are included in root
priming responses if "minimal-responses" is not
set to "yes". [GL #1092]
5255. [bug] Errors encountered while reloading inline-signing
zones could be ignored, causing the zone content to
be left in an incompletely updated state rather than
reverted. [GL #1109]
5253. [port] Support platforms that don't define ULLONG_MAX.
[GL #1098]
5249. [bug] Fix a possible underflow in recursion clients
statistics when hitting recursive clients
soft quota. [GL #1067]
This inadvertently opened up the named process to more privileges than
necessary and could be considered a security risk. This may affect chroot
support, adding back in support for that will need to be done carefully.
Bump PKGREVISIONs.
Update bind911 to 9.11.8 (BIND 9.11.8).
--- 9.11.8 released ---
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
[GL #225]
5237. [bug] Recurse to find the root server list with 'dig +trace'.
[GL #1028]
