From 1a008b282ab1d4265609fdce24cbcd992ce43f66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 13 Mar 2026 21:33:25 +0100 Subject: [PATCH] Tweak and reword release notes --- doc/notes/notes-9.20.21.rst | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/doc/notes/notes-9.20.21.rst b/doc/notes/notes-9.20.21.rst index 1ba9a82197..fe8dcb8fe4 100644 --- a/doc/notes/notes-9.20.21.rst +++ b/doc/notes/notes-9.20.21.rst @@ -15,8 +15,8 @@ Notes for BIND 9.20.21 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2026-1519] Fix unbounded NSEC3 iterations when validating - referrals to unsigned delegations. +- Fix unbounded NSEC3 iterations when validating referrals to unsigned + delegations. :cve:`2026-1519` DNSSEC-signed zones may contain high iteration-count NSEC3 records, which prove that certain delegations are insecure. Previously, a @@ -29,8 +29,8 @@ Security Fixes ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention. :gl:`#5708` -- [CVE-2026-3104] Fix memory leaks in code preparing DNSSEC proofs of - non-existence. +- Fix memory leaks in code preparing DNSSEC proofs of non-existence. + :cve:`2026-3104` An attacker controlling a DNSSEC-signed zone could trigger a memory leak in the logic preparing DNSSEC proofs of non-existence, by @@ -40,8 +40,8 @@ Security Fixes ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. :gl:`#5742` -- [CVE-2026-3119] Prevent a crash in code processing queries containing - a TKEY record. +- Prevent a crash in code processing queries containing a TKEY record. + :cve:`2026-3119` The :iscman:`named` process could terminate unexpectedly when processing a correctly signed query containing a TKEY record. This has @@ -50,8 +50,8 @@ Security Fixes ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. :gl:`#5748` -- [CVE-2026-3591] Fix a stack use-after-return flaw in SIG(0) handling - code. +- Fix a stack use-after-return flaw in SIG(0) handling code. + :cve:`2026-3591` A stack use-after-return flaw in SIG(0) handling code could enable ACL bypass and/or assertion failures in certain circumstances. This flaw @@ -63,15 +63,13 @@ Security Fixes Bug Fixes ~~~~~~~~~ -- Resolve "key defined in view is not found" +- Fix the handling of :namedconf:ref:`key` statements defined inside + views. - Commit `2956e4fc` hardened the `key` name check when used in - `primaries` to reject the configuration if the key was not defined, - rather than simply checking whether the key name was correctly formed. - - However, the key name check didn't include the view configuration, - causing keys not to be recognized if they were defined inside the view - and not at the global level. This regression is now fixed. + A recent change introduced in BIND 9.20.17 hardened the + :namedconf:ref:`key` name check when used in :any:`primaries`, to + immediately reject the configuration if the key was not defined + (rather than only checking whether the key name was correctly formed). + However, that change introduced a regression that prevented the use of + a :namedconf:ref:`key` defined in a view. This has now been fixed. :gl:`#5761` - -