diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst index 3a675dcdce..cf5a2ea8e1 100644 --- a/doc/notes/notes-9.18.19.rst +++ b/doc/notes/notes-9.18.19.rst @@ -35,49 +35,58 @@ Security Fixes Removed Features ~~~~~~~~~~~~~~~~ -- The :any:`dnssec-must-be-secure` option has been deprecated and will be - removed in a future release. :gl:`#4263` +- The :any:`dnssec-must-be-secure` option has been deprecated and will + be removed in a future release. :gl:`#4263` Feature Changes ~~~~~~~~~~~~~~~ -- Make :iscman:`nsupdate` honor the ``-v`` option. If set, and the server is - specified, SOA queries are now send over TCP as well. :gl:`#1181` +- If the ``server`` command is specified, :iscman:`nsupdate` now honors + the :option:`nsupdate -v` option for SOA queries by sending both the + UPDATE request and the initial query over TCP. :gl:`#1181` Bug Fixes ~~~~~~~~~ -- The value of If-Modified-Since header in statistics channel was not checked - for length leading to possible buffer overflow by an authorized user. We - would like to emphasize that statistics channel must be properly setup to - allow access only from authorized users of the system. :gl:`#4124` +- The value of the If-Modified-Since header in the statistics channel + was not being correctly validated for its length, potentially allowing + an authorized user to trigger a buffer overflow. Ensuring the + statistics channel is configured correctly to grant access exclusively + to authorized users is essential (see the :any:`statistics-channels` + block definition and usage section). :gl:`#4124` - This issue was reported independently by Eric Sesterhenn of X41 D-SEC and - Cameron Whitehead. + This issue was reported independently by Eric Sesterhenn of X41 D-Sec + GmbH and Cameron Whitehead. -- The value of Content-Length header in statistics channel was not - bound checked and negative or large enough value could lead to - overflow and assertion failure. :gl:`#4125` +- The Content-Length header in the statistics channel was lacking proper + bounds checking. A negative or excessively large value could + potentially trigger an integer overflow and result in an assertion + failure. :gl:`#4125` - This issue was reported by Eric Sesterhenn of X41 D-SEC. + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. -- Address memory leaks due to not clearing OpenSSL error stack. :gl:`#4159` +- Several memory leaks caused by not clearing the OpenSSL error stack + were fixed. :gl:`#4159` - This issue was reported by Eric Sesterhenn of X41 D-SEC. + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. -- Following the introduction of krb5-subdomain-self-rhs and - ms-subdomain-self-rhs update rules, removal of nonexistent PTR - and SRV records via UPDATE could fail. This has been fixed. :gl:`#4280` +- The introduction of ``krb5-subdomain-self-rhs`` and + ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused + :iscman:`named` to return SERVFAIL responses to deletion requests for + non-existent PTR and SRV records. This has been fixed. :gl:`#4280` -- The value of :any:`stale-refresh-time` was set to zero after ``rndc flush``. - This has been fixed. :gl:`#4278` +- The :any:`stale-refresh-time` feature was mistakenly disabled when the + server cache was flushed by :option:`rndc flush`. This has been fixed. + :gl:`#4278` -- BIND could consume more memory than it needs. That has been fixed by - using specialised jemalloc memory arenas dedicated to sending buffers. It - allowed us to optimize the process of returning memory pages back to - the operating system. :gl:`#4038` +- BIND's memory consumption has been improved by implementing dedicated + jemalloc memory arenas for sending buffers. This optimization ensures + that memory usage is more efficient and better manages the return of + memory pages to the operating system. :gl:`#4038` -- Prevent DNS message corruption on long DNS over TLS streams. :gl:`#4255` +- Previously, partial writes in the TLS DNS code were not accounted for + correctly, which could have led to DNS message corruption. This has + been fixed. :gl:`#4255` Known Issues ~~~~~~~~~~~~