00b67f09dd
Also known as ISC bind. This import adds utilities such as host(1), dig(1), and nslookup(1), as well as many other tools and libraries. Change-Id: I035ca46e64f1965d57019e773f4ff0ef035e4aa3
202 lines
6.7 KiB
XML
202 lines
6.7 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!--
|
|
- Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- Permission to use, copy, modify, and/or distribute this software for any
|
|
- purpose with or without fee is hereby granted, provided that the above
|
|
- copyright notice and this permission notice appear in all copies.
|
|
-
|
|
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
- PERFORMANCE OF THIS SOFTWARE.
|
|
-->
|
|
|
|
<sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<xi:include href="noteversion.xml"/>
|
|
<sect2 id="relnotes_intro">
|
|
<title>Introduction</title>
|
|
<para>
|
|
This document summarizes changes since BIND 9.10.2:
|
|
</para>
|
|
<para>
|
|
BIND 9.10.2-P4 addresses security issues described in
|
|
CVE-2015-5722 and CVE-2015-5986.
|
|
</para>
|
|
<para>
|
|
BIND 9.10.2-P3 addresses a security issue described in
|
|
CVE-2015-5477.
|
|
</para>
|
|
<para>
|
|
BIND 9.10.2-P2 addresses a security issue described in
|
|
CVE-2015-4620.
|
|
</para>
|
|
<para>
|
|
BIND 9.10.2-P1 addressed several bugs that have been identified
|
|
in the BIND 9.10 implementation of response-policy zones (RPZ).
|
|
The bugs are in code which optimizes searching through multiple
|
|
policy zones. In some cases, they can cause RPZ to behave
|
|
inefficiently by searching for query matches in more policy
|
|
zones than are strictly necessary, or to behave unpredictably
|
|
by failing to search a policy zone that should have been
|
|
searched. In the worst case, they can lead to assertion
|
|
failures, terminating <command>named</command>.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_download">
|
|
<title>Download</title>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<ulink url="http://www.isc.org/downloads/"
|
|
>http://www.isc.org/downloads/</ulink>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_security">
|
|
<title>Security Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
An incorrect boundary check in the OPENPGPKEY rdatatype
|
|
could trigger an assertion failure. This flaw is disclosed
|
|
in CVE-2015-5986. [RT #40286]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A buffer accounting error could trigger an assertion failure
|
|
when parsing certain malformed DNSSEC keys.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Hanno B쎶eck of the Fuzzing
|
|
Project, and is disclosed in CVE-2015-5722. [RT #40212]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A specially crafted query could trigger an assertion failure
|
|
in message.c.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Jonathan Foote, and is disclosed
|
|
in CVE-2015-5477. [RT #39795]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
On servers configured to perform DNSSEC validation, an
|
|
assertion failure could be triggered on answers from
|
|
a specially configured server.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Breno Silveira Soares, and is
|
|
disclosed in CVE-2015-4620. [RT #39795]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_features">
|
|
<title>New Features</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>None</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_changes">
|
|
<title>Feature Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>None</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_bugs">
|
|
<title>Bug Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Asynchronous zone loads were not handled correctly when the
|
|
zone load was already in progress; this could trigger a crash
|
|
in zt.c. [RT #37573]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Several bugs have been fixed in the RPZ implementation:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Policy zones that did not specifically require recursion
|
|
could be treated as if they did; consequently, setting
|
|
<command>qname-wait-recurse no;</command> was
|
|
sometimes ineffective. This has been corrected.
|
|
In most configurations, behavioral changes due to this
|
|
fix will not be noticeable. [RT #39229]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The server could crash if policy zones were updated (e.g.
|
|
via <command>rndc reload</command> or an incoming zone
|
|
transfer) while RPZ processing was still ongoing for an
|
|
active query. [RT #39415]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
On servers with one or more policy zones configured as
|
|
slaves, if a policy zone updated during regular operation
|
|
(rather than at startup) using a full zone reload, such as
|
|
via AXFR, a bug could allow the RPZ summary data to fall out
|
|
of sync, potentially leading to an assertion failure in
|
|
rpz.c when further incremental updates were made to the
|
|
zone, such as via IXFR. [RT #39567]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The server could match a shorter prefix than what was
|
|
available in CLIENT-IP policy triggers, and so, an
|
|
unexpected action could be taken. This has been
|
|
corrected. [RT #39481]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The server could crash if a reload of an RPZ zone was
|
|
initiated while another reload of the same zone was
|
|
already in progress. [RT #39649]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="end_of_life">
|
|
<title>End of Life</title>
|
|
<para>
|
|
The end of life for BIND 9.10 is yet to be determined but
|
|
will not be before BIND 9.12.0 has been released for 6 months.
|
|
<ulink url="https://www.isc.org/downloads/software-support-policy/"
|
|
>https://www.isc.org/downloads/software-support-policy/</ulink>
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_thanks">
|
|
<title>Thank You</title>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<ulink url="http://www.isc.org/donate/"
|
|
>http://www.isc.org/donate/</ulink>.
|
|
</para>
|
|
</sect2>
|
|
</sect1>
|