From 113f64d31b298b0b0500105bf8e8a01db2f7aaa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Sat, 18 Oct 2025 09:50:45 +0200 Subject: [PATCH] Prepare changelog for BIND 9.18.41 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.18.40.rst | 136 +------------------------ doc/changelog/changelog-9.18.41.rst | 148 ++++++++++++++++++++++++++++ 3 files changed, 152 insertions(+), 133 deletions(-) create mode 100644 doc/changelog/changelog-9.18.41.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index c30a357f22..32239a5889 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.41.rst .. include:: ../changelog/changelog-9.18.40.rst .. include:: ../changelog/changelog-9.18.39.rst .. include:: ../changelog/changelog-9.18.38.rst diff --git a/doc/changelog/changelog-9.18.40.rst b/doc/changelog/changelog-9.18.40.rst index a83eaf5691..4a8d883a9c 100644 --- a/doc/changelog/changelog-9.18.40.rst +++ b/doc/changelog/changelog-9.18.40.rst @@ -12,137 +12,7 @@ BIND 9.18.40 ------------ -Security Fixes -~~~~~~~~~~~~~~ - -- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY - is found. ``85d08e06831`` - - Previously, if a matching but cryptographically invalid key was - encountered during DNSSEC validation, the key was skipped and not - counted towards validation failures. :iscman:`named` now treats such - DNSSEC keys as hard failures and the DNSSEC validation fails - immediately, instead of continuing with the next DNSKEYs in the RRset. - - ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One - Security and Privacy Laboratory at Nankai University for bringing this - vulnerability to our attention. :gl:`#5343` - -- [CVE-2025-40778] Address various spoofing attacks. ``4c99ba5a462`` - - Previously, several issues could be exploited to poison a DNS cache - with spoofed records for zones which were not DNSSEC-signed or if the - resolver was configured to not do DNSSEC validation. These issues were - assigned CVE-2025-40778 and have now been fixed. - - As an additional layer of protection, :iscman:`named` no longer - accepts DNAME records or extraneous NS records in the AUTHORITY - section unless these are received via spoofing-resistant transport - (TCP, UDP with DNS cookies, TSIG, or SIG(0)). - - ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin - Duan from Tsinghua University for bringing this vulnerability to our - attention. :gl:`#5414` - -- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number - generator. ``f74fb05265b`` - - It was discovered during research for an upcoming academic paper that - a xoshiro128\*\* internal state can be recovered by an external 3rd - party, allowing the prediction of UDP ports and DNS IDs in outgoing - queries. This could lead to an attacker spoofing the DNS answers with - great efficiency and poisoning the DNS cache. - - The internal random generator has been changed to a cryptographically - secure pseudo-random generator. - - ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from - Hebrew University of Jerusalem for bringing this vulnerability to our - attention. :gl:`#5484` - -New Features -~~~~~~~~~~~~ - -- Support for parsing HHIT and BRID records has been added. - ``d7d4e94d085`` - - :gl:`#5444` :gl:`!10933` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Deprecate the "tkey-domain" statement. ``e28c95c1160`` - - Mark the :any:`tkey-domain` statement as deprecated since it is only - used by code implementing TKEY Mode 2 (Diffie-Hellman), which was - removed from newer BIND 9 branches. :gl:`#4204` :gl:`!10783` - -- Deprecate the "tkey-gssapi-credential" statement. ``2705307f818`` - - The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up - in a simpler and more reliable way than using the - :any:`tkey-gssapi-credential` statement and setting environment - variables (e.g. ``KRB5_KTNAME``). Therefore, the - :any:`tkey-gssapi-credential` statement has been deprecated; - :any:`tkey-gssapi-keytab` should be used instead. - - For configurations currently using a combination of both - :any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the - latter should be dropped and the keytab pointed to by - :any:`tkey-gssapi-keytab` should now only contain the credential - previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204` - :gl:`!10925` - -Feature Changes -~~~~~~~~~~~~~~~ - -- Update clang-format style with options added in newer versions. - ``1bc0f245c79`` - - Add and apply InsertBraces statement to add missing curly braces - around one-line statements and use - ControlStatementsExceptControlMacros for SpaceBeforeParens to remove - space between foreach macro and the brace, e.g. `FOREACH (x) {` - becomes `FOREACH(x) {`. :gl:`!10865` - -Bug Fixes -~~~~~~~~~ - -- Prevent spurious SERVFAILs for certain 0-TTL resource records. - ``f5a6a8be45f`` - - Under certain circumstances, BIND 9 can return SERVFAIL when updating - existing entries in the cache with new NS, A, AAAA, or DS records with - 0-TTL. :gl:`#5294` :gl:`!10899` - -- Use DNS_RDATACOMMON_INIT to hide branch differences. ``aef4682e4aa`` - - Initialization of the common members of rdata type structures varies - across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` - macro for all types, so that new types are more likely to use it, and - hence backport more cleanly. :gl:`#5467` :gl:`!10833` - -- RPZ canonical warning displays zone entry incorrectly. ``3e787e98930`` - - When an IPv6 rpz prefix entry is entered incorrectly the log message - was just displaying the prefix rather than the full entry. This has - been corrected. :gl:`#5491` :gl:`!10931` - -- Missing DNSSEC information when CD bit is set in query. - ``990586f0496`` - - The RRSIGs for glue records were not being cached correctly for CD=1 - queries. This has been fixed. :gl:`#5502` :gl:`!10957` - -- Add and use __attribute__((nonnull)) in dnssec-signzone.c. - ``48c30cfcd08`` - - Clang 20 was spuriously warning about the possibility of passing a - NULL file pointer to `fprintf()`, which uses the 'nonnull' attribute. - To silence the warning, the functions calling `fprintf()` have been - marked with the same attribute to assure that NULL can't be passed to - them in the first place. - - Close #5487 :gl:`!10914` - +.. note:: + The BIND 9.18.40 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. diff --git a/doc/changelog/changelog-9.18.41.rst b/doc/changelog/changelog-9.18.41.rst new file mode 100644 index 0000000000..3404e52958 --- /dev/null +++ b/doc/changelog/changelog-9.18.41.rst @@ -0,0 +1,148 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.41 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY + is found. ``85d08e06831`` + + Previously, if a matching but cryptographically invalid key was + encountered during DNSSEC validation, the key was skipped and not + counted towards validation failures. :iscman:`named` now treats such + DNSSEC keys as hard failures and the DNSSEC validation fails + immediately, instead of continuing with the next DNSKEYs in the RRset. + + ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One + Security and Privacy Laboratory at Nankai University for bringing this + vulnerability to our attention. :gl:`#5343` + +- [CVE-2025-40778] Address various spoofing attacks. ``4c99ba5a462`` + + Previously, several issues could be exploited to poison a DNS cache + with spoofed records for zones which were not DNSSEC-signed or if the + resolver was configured to not do DNSSEC validation. These issues were + assigned CVE-2025-40778 and have now been fixed. + + As an additional layer of protection, :iscman:`named` no longer + accepts DNAME records or extraneous NS records in the AUTHORITY + section unless these are received via spoofing-resistant transport + (TCP, UDP with DNS cookies, TSIG, or SIG(0)). + + ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin + Duan from Tsinghua University for bringing this vulnerability to our + attention. :gl:`#5414` + +- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number + generator. ``f74fb05265b`` + + It was discovered during research for an upcoming academic paper that + a xoshiro128\*\* internal state can be recovered by an external 3rd + party, allowing the prediction of UDP ports and DNS IDs in outgoing + queries. This could lead to an attacker spoofing the DNS answers with + great efficiency and poisoning the DNS cache. + + The internal random generator has been changed to a cryptographically + secure pseudo-random generator. + + ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from + Hebrew University of Jerusalem for bringing this vulnerability to our + attention. :gl:`#5484` + +New Features +~~~~~~~~~~~~ + +- Support for parsing HHIT and BRID records has been added. + ``d7d4e94d085`` + + :gl:`#5444` :gl:`!10933` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Deprecate the "tkey-domain" statement. ``e28c95c1160`` + + Mark the :any:`tkey-domain` statement as deprecated since it is only + used by code implementing TKEY Mode 2 (Diffie-Hellman), which was + removed from newer BIND 9 branches. :gl:`#4204` :gl:`!10783` + +- Deprecate the "tkey-gssapi-credential" statement. ``2705307f818`` + + The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up + in a simpler and more reliable way than using the + :any:`tkey-gssapi-credential` statement and setting environment + variables (e.g. ``KRB5_KTNAME``). Therefore, the + :any:`tkey-gssapi-credential` statement has been deprecated; + :any:`tkey-gssapi-keytab` should be used instead. + + For configurations currently using a combination of both + :any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the + latter should be dropped and the keytab pointed to by + :any:`tkey-gssapi-keytab` should now only contain the credential + previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204` + :gl:`!10925` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Update clang-format style with options added in newer versions. + ``1bc0f245c79`` + + Add and apply InsertBraces statement to add missing curly braces + around one-line statements and use + ControlStatementsExceptControlMacros for SpaceBeforeParens to remove + space between foreach macro and the brace, e.g. `FOREACH (x) {` + becomes `FOREACH(x) {`. :gl:`!10865` + +Bug Fixes +~~~~~~~~~ + +- Prevent spurious SERVFAILs for certain 0-TTL resource records. + ``f5a6a8be45f`` + + Under certain circumstances, BIND 9 can return SERVFAIL when updating + existing entries in the cache with new NS, A, AAAA, or DS records with + 0-TTL. :gl:`#5294` :gl:`!10899` + +- Use DNS_RDATACOMMON_INIT to hide branch differences. ``aef4682e4aa`` + + Initialization of the common members of rdata type structures varies + across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` + macro for all types, so that new types are more likely to use it, and + hence backport more cleanly. :gl:`#5467` :gl:`!10833` + +- RPZ canonical warning displays zone entry incorrectly. ``3e787e98930`` + + When an IPv6 rpz prefix entry is entered incorrectly the log message + was just displaying the prefix rather than the full entry. This has + been corrected. :gl:`#5491` :gl:`!10931` + +- Missing DNSSEC information when CD bit is set in query. + ``990586f0496`` + + The RRSIGs for glue records were not being cached correctly for CD=1 + queries. This has been fixed. :gl:`#5502` :gl:`!10957` + +- Add and use __attribute__((nonnull)) in dnssec-signzone.c. + ``48c30cfcd08`` + + Clang 20 was spuriously warning about the possibility of passing a + NULL file pointer to `fprintf()`, which uses the 'nonnull' attribute. + To silence the warning, the functions calling `fprintf()` have been + marked with the same attribute to assure that NULL can't be passed to + them in the first place. + + Close #5487 :gl:`!10914` + +