From 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 01/19] Bound the amount of work performed for delegations Limit the amount of database lookups that can be triggered in fctx_getaddresses() (i.e. when determining the name server addresses to query next) by setting a hard limit on the number of NS RRs processed for any delegation encountered. Without any limit in place, named can be forced to perform large amounts of database lookups per each query received, which severely impacts resolver performance. The limit used (20) is an arbitrary value that is considered to be big enough for any sane DNS delegation. --- lib/dns/resolver.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index e424835f0b..23e5c27d36 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -214,6 +214,17 @@ */ #define NS_FAIL_LIMIT 4 #define NS_RR_LIMIT 5 +/* + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in + * any NS RRset encountered, to avoid excessive resource use while processing + * large delegations. + */ +#define NS_PROCESSING_LIMIT 20 + +STATIC_ASSERT(NS_PROCESSING_LIMIT > NS_RR_LIMIT, + "The maximum number of NS RRs processed for each delegation " + "(NS_PROCESSING_LIMIT) must be larger than the large delegation " + "threshold (NS_RR_LIMIT)."); /* Hash table for zone counters */ #ifndef RES_DOMAIN_HASH_BITS @@ -3536,6 +3547,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { bool need_alternate = false; bool all_spilled = true; unsigned int no_addresses = 0; + unsigned int ns_processed = 0; FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); @@ -3726,6 +3738,11 @@ normal_nses: dns_rdata_reset(&rdata); dns_rdata_freestruct(&ns); + + if (++ns_processed >= NS_PROCESSING_LIMIT) { + result = ISC_R_NOMORE; + break; + } } if (result != ISC_R_NOMORE) { return (result); From e802beedfc13be160d182635cecf6e01fc514d94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 02/19] Add CHANGES entry for GL #3394 --- CHANGES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 4c28c97316..a533cbe04f 100644 --- a/CHANGES +++ b/CHANGES @@ -8,7 +8,8 @@ 5958. [placeholder] -5957. [placeholder] +5957. [security] Prevent excessive resource use while processing large + delegations. (CVE-2022-2795) [GL #3394] 5956. [func] Make RRL code treat all QNAMEs that are subject to wildcard processing within a given zone as the same From 672072812cae9a346f6bc40ea5b1a81a5ca010ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 03/19] Add release note for GL #3394 --- doc/notes/notes-current.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index e758ca8966..3411d2448d 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -15,7 +15,14 @@ Notes for BIND 9.19.5 Security Fixes ~~~~~~~~~~~~~~ -- None. +- Previously, there was no limit to the number of database lookups + performed while processing large delegations, which could be abused to + severely impact the performance of :iscman:`named` running as a + recursive resolver. This has been fixed. (CVE-2022-2795) + + ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat + Bremler-Barr & Shani Stajnrod from Reichman University for bringing + this vulnerability to our attention. :gl:`#3394` Known Issues ~~~~~~~~~~~~ From 47e9fa981e56a7a232f3219fe8a40525c79d748b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 16 Aug 2022 16:26:02 -0700 Subject: [PATCH 04/19] compression buffer was not reused correctly when the compression buffer was reused for multiple statistics requests, responses could grow beyond the correct size. this was because the buffer was not cleared before reuse; compressed data was still written to the beginning of the buffer, but then the size of used region was increased by the amount written, rather than set to the amount written. this caused responses to grow larger and larger, potentially reading past the end of the allocated buffer. --- lib/isc/httpd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c index e4c7d71699..9e2ea2ea38 100644 --- a/lib/isc/httpd.c +++ b/lib/isc/httpd.c @@ -202,6 +202,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) { if (r.base != NULL) { isc_mem_put(mctx, r.base, r.length); } + + isc_buffer_initnull(buffer); } isc_result_t @@ -864,6 +866,7 @@ httpd_compress(isc_httpd_t *httpd) { inputlen = isc_buffer_usedlength(&httpd->bodybuffer); alloc_compspace(httpd, inputlen); + isc_buffer_clear(&httpd->compbuffer); isc_buffer_region(&httpd->compbuffer, &r); /* From 430ee6c4271e68a2bbb8163ed0e1d2e37fbe3d5d Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 16 Aug 2022 16:26:02 -0700 Subject: [PATCH 05/19] CHANGES and release notes for CVE-2022-2881 [GL #3493] --- CHANGES | 7 ++++++- doc/notes/notes-current.rst | 5 +++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a533cbe04f..7567fdca1e 100644 --- a/CHANGES +++ b/CHANGES @@ -6,7 +6,12 @@ 5959. [placeholder] -5958. [placeholder] +5958. [security] When an HTTP connection was reused to get + statistics from the stats channel, and zlib + compression was in use, each successive + response sent larger and larger blocks of memory, + potentially reading past the end of the allocated + buffer. (CVE-2022-2881) [GL #3493] 5957. [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795) [GL #3394] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 3411d2448d..b6663798cb 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,6 +24,11 @@ Security Fixes Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. :gl:`#3394` +- When an HTTP connection was reused to request statistics from the + stats channel, the content length of successive responses could grow + in size past the end of the allocated buffer. This has been fixed. + (CVE-2022-2881) :gl:`#3493` + Known Issues ~~~~~~~~~~~~ From 73d6bbff4e1df583810126fe58eac39bb52bc0d9 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 18 Aug 2022 08:59:09 +0000 Subject: [PATCH 06/19] Fix memory leaks in DH code When used with OpenSSL v3.0.0+, the `openssldh_compare()`, `openssldh_paramcompare()`, and `openssldh_todns()` functions fail to cleanup the used memory on some error paths. Use `DST_RET` instead of `return`, when there is memory to be released before returning from the functions. --- lib/dns/openssldh_link.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index e76cfbe310..f063160148 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -165,6 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, static bool openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret = true; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh1, *dh2; const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; @@ -214,18 +215,17 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0) { - return (false); + DST_RET(false); } if (priv_key1 != NULL || priv_key2 != NULL) { - if (priv_key1 == NULL || priv_key2 == NULL) { - return (false); - } - if (BN_cmp(priv_key1, priv_key2) != 0) { - return (false); + if (priv_key1 == NULL || priv_key2 == NULL || + BN_cmp(priv_key1, priv_key2) != 0) { + DST_RET(false); } } +err: #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (p1 != NULL) { BN_free(p1); @@ -253,11 +253,12 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { } #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ - return (true); + return (ret); } static bool openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret = true; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh1, *dh2; const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; @@ -295,9 +296,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { - return (false); + DST_RET(false); } +err: #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (p1 != NULL) { BN_free(p1); @@ -313,7 +315,7 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { } #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ - return (true); + return (ret); } #if OPENSSL_VERSION_NUMBER < 0x30000000L @@ -672,6 +674,7 @@ uint16_fromregion(isc_region_t *region) { static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret = ISC_R_SUCCESS; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh; const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; @@ -713,7 +716,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { publen = BN_num_bytes(pub_key); dnslen = plen + glen + publen + 6; if (r.length < (unsigned int)dnslen) { - return (ISC_R_NOSPACE); + DST_RET(ISC_R_NOSPACE); } uint16_toregion(plen, &r); @@ -742,6 +745,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_add(data, dnslen); +err: #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (p != NULL) { BN_free(p); @@ -754,7 +758,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { } #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ - return (ISC_R_SUCCESS); + return (ret); } static isc_result_t From 5b5f2353d4fbe94d699f9f43e94586d35504b7e8 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 18 Aug 2022 09:20:21 +0000 Subject: [PATCH 07/19] Add CHANGES note for [GL #3491] --- CHANGES | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 7567fdca1e..16fe2b9067 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,10 @@ 5960. [placeholder] -5959. [placeholder] +5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0 + and later versions. The openssldh_compare(), + openssldh_paramcompare(), and openssldh_todns() + functions were affected. (CVE-2022-2906) [GL #3491] 5958. [security] When an HTTP connection was reused to get statistics from the stats channel, and zlib From 113e949b34909d7b0edd7089a09284ec4b13ce1a Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 18 Aug 2022 09:28:03 +0000 Subject: [PATCH 08/19] Add release note for [GL #3491] --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index b6663798cb..8fccc24c1e 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -29,6 +29,10 @@ Security Fixes in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) :gl:`#3493` +- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that + could be externally triggered, when using TKEY records in DH mode with + OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` + Known Issues ~~~~~~~~~~~~ From d939d2ecde5639d11acd6eac33a997b3e3c78b02 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 2 Sep 2022 16:50:39 +0200 Subject: [PATCH 09/19] Only refresh RRset once Don't attempt to resolve DNS responses for intermediate results. This may create multiple refreshes and can cause a crash. One scenario is where for the query there is a CNAME and canonical answer in cache that are both stale. This will trigger a refresh of the RRsets because we encountered stale data and we prioritized it over the lookup. It will trigger a refresh of both RRsets. When we start recursing, it will detect a recursion loop because the recursion parameters will eventually be the same. In 'dns_resolver_destroyfetch' the sanity check fails, one of the callers did not get its event back before trying to destroy the fetch. Move the call to 'query_refresh_rrset' to 'ns_query_done', so that it is only called once per client request. Another scenario is where for the query there is a stale CNAME in the cache that points to a record that is also in cache but not stale. This will trigger a refresh of the RRset (because we encountered stale data and we prioritized it over the lookup). We mark RRsets that we add to the message with DNS_RDATASETATTR_STALE_ADDED to prevent adding a duplicate RRset when a stale lookup and a normal lookup conflict with each other. However, the other non-stale RRset when following a CNAME chain will be added to the message without setting that attribute, because it is not stale. This is a variant of the bug in #2594. The fix covered the same crash but for stale-answer-client-timeout > 0. Fix this by clearing all RRsets from the message before refreshing. This requires the refresh to happen after the query is send back to the client. --- lib/ns/include/ns/query.h | 1 + lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h index 843de665ea..c1c7b5e430 100644 --- a/lib/ns/include/ns/query.h +++ b/lib/ns/include/ns/query.h @@ -203,6 +203,7 @@ struct query_ctx { bool authoritative; /* authoritative query? */ bool want_restart; /* CNAME chain or other * restart needed */ + bool refresh_rrset; /* stale RRset refresh needed */ bool need_wildcardproof; /* wildcard proof needed */ bool nxrewrite; /* negative answer from RPZ */ bool findcoveringnsec; /* lookup covering NSEC */ diff --git a/lib/ns/query.c b/lib/ns/query.c index beeae0e653..dd2d2f2e0a 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5780,7 +5780,6 @@ query_lookup(query_ctx_t *qctx) { bool dbfind_stale = false; bool stale_timeout = false; bool stale_found = false; - bool refresh_rrset = false; bool stale_refresh_window = false; uint16_t ede = 0; @@ -5980,8 +5979,7 @@ query_lookup(query_ctx_t *qctx) { "%s stale answer used, an attempt to " "refresh the RRset will still be made", namebuf); - refresh_rrset = STALE(qctx->rdataset); - qctx->client->nodetach = refresh_rrset; + qctx->refresh_rrset = STALE(qctx->rdataset); ns_client_extendederror( qctx->client, ede, "stale data prioritized over lookup"); @@ -6025,17 +6023,6 @@ query_lookup(query_ctx_t *qctx) { result = query_gotanswer(qctx, result); - if (refresh_rrset) { - /* - * If we reached this point then it means that we have found a - * stale RRset entry in cache and BIND is configured to allow - * queries to be answered with stale data if no active RRset - * is available, i.e. "stale-anwer-client-timeout 0". But, we - * still need to refresh the RRset. - */ - query_refresh_rrset(qctx); - } - cleanup: return (result); } @@ -7987,11 +7974,14 @@ query_addanswer(query_ctx_t *qctx) { /* * On normal lookups, clear any rdatasets that were added on a - * lookup due to stale-answer-client-timeout. + * lookup due to stale-answer-client-timeout. Do not clear if we + * are going to refresh the RRset, because the stale contents are + * prioritized. */ if (QUERY_STALEOK(&qctx->client->query) && - !QUERY_STALETIMEOUT(&qctx->client->query)) + !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) { + CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); query_clear_stale(qctx->client); /* * We can clear the attribute to prevent redundant clearing @@ -11523,9 +11513,29 @@ ns_query_done(query_ctx_t *qctx) { /* * Client may have been detached after query_send(), so * we test and store the flag state here, for safety. + * If we are refreshing the RRSet, we must not detach from the client + * in the query_send(), so we need to override the flag. */ + if (qctx->refresh_rrset) { + qctx->client->nodetach = true; + } nodetach = qctx->client->nodetach; query_send(qctx->client); + + if (qctx->refresh_rrset) { + /* + * If we reached this point then it means that we have found a + * stale RRset entry in cache and BIND is configured to allow + * queries to be answered with stale data if no active RRset + * is available, i.e. "stale-anwer-client-timeout 0". But, we + * still need to refresh the RRset. To prevent adding duplicate + * RRsets, clear the RRsets from the message before doing the + * refresh. + */ + message_clearrdataset(qctx->client->message, 0); + query_refresh_rrset(qctx); + } + if (!nodetach) { qctx->detach_client = true; } From e3949029657e18e3bef5ec6d1a381d4c37b016b0 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 5 Sep 2022 11:32:59 +0200 Subject: [PATCH 10/19] Add CHANGES entry for 3517 --- CHANGES | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 16fe2b9067..fef42b10bd 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,10 @@ 5961. [placeholder] -5960. [placeholder] +5960. [security] Fix serve-stale crash that could happen when + stale-answer-client-timeout was set to 0 and there was + a stale CNAME in the cache for an incoming query. + (CVE-2022-3080) [GL #3517] 5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0 and later versions. The openssldh_compare(), From 97c6c3712eeb9e8d6463749a1f70350e68b7b1b3 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 5 Sep 2022 11:34:57 +0200 Subject: [PATCH 11/19] Add release notes for #3517 --- doc/notes/notes-current.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 8fccc24c1e..33bbe976b6 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -33,6 +33,12 @@ Security Fixes could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` +- :iscman:`named` running as a resolver with the + :any:`stale-answer-client-timeout` option set to ``0`` could crash + with an assertion failure, when there was a stale CNAME in the cache + for the incoming query. This has been fixed. (CVE-2022-3080) + :gl:`#3517` + Known Issues ~~~~~~~~~~~~ From 6ddb480a84836641a0711768a94122972c166825 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 11 Aug 2022 15:28:13 +1000 Subject: [PATCH 12/19] Free ctx on invalid siglen --- lib/dns/openssleddsa_link.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index 2f599647da..fa8d51b1ef 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -234,11 +234,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { } #endif /* if HAVE_OPENSSL_ED448 */ if (siglen == 0) { - return (ISC_R_NOTIMPLEMENTED); + DST_RET(ISC_R_NOTIMPLEMENTED); } if (sig->length != siglen) { - return (DST_R_VERIFYFAILURE); + DST_RET(DST_R_VERIFYFAILURE); } isc_buffer_usedregion(buf, &tbsreg); From b3277f2e10ad9309818d461ed851d0ee77e49712 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 12 Aug 2022 10:31:59 +1000 Subject: [PATCH 13/19] Add CHANGES note for [GL #3487] --- CHANGES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index fef42b10bd..e094797b28 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,5 @@ -5962. [placeholder] +5962. [security] Fix memory leak in EdDSA verify processing. + (CVE-2022-38178) [GL #3487] 5961. [placeholder] From e6cb1de20b5edea502918a2b6ea41444e7d2e170 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 12 Aug 2022 10:33:04 +1000 Subject: [PATCH 14/19] Add release note for [GL #3487] --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 33bbe976b6..802c344967 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -39,6 +39,10 @@ Security Fixes for the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517` +- Memory leaks were fixed that could be externally triggered in the + DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + :gl:`#3487` + Known Issues ~~~~~~~~~~~~ From 849563797eb04982bfd6cdcc3792762dd8799535 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 12:45:56 +0200 Subject: [PATCH 15/19] Prepare release notes for BIND 9.19.5 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.19.5.rst} | 10 ---------- 2 files changed, 1 insertion(+), 11 deletions(-) rename doc/notes/{notes-current.rst => notes-9.19.5.rst} (97%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index c29c9f5552..cba7ae0058 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -36,7 +36,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.5.rst .. include:: ../notes/notes-9.19.4.rst .. include:: ../notes/notes-9.19.3.rst .. include:: ../notes/notes-9.19.2.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.19.5.rst similarity index 97% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.19.5.rst index 802c344967..855503a29d 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.19.5.rst @@ -43,11 +43,6 @@ Security Fixes DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) :gl:`#3487` -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -55,11 +50,6 @@ New Features significantly changing the architecture of the task, timer and networking systems for improved performance and code flow. :gl:`#3508` -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ From ef5e0641c32a0bd5e75111000860569015015492 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 12:45:56 +0200 Subject: [PATCH 16/19] Tweak and reword release notes --- doc/notes/notes-9.19.5.rst | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/doc/notes/notes-9.19.5.rst b/doc/notes/notes-9.19.5.rst index 855503a29d..4410801ec5 100644 --- a/doc/notes/notes-9.19.5.rst +++ b/doc/notes/notes-9.19.5.rst @@ -46,9 +46,10 @@ Security Fixes New Features ~~~~~~~~~~~~ -- Worker threads' event loops are now managed by a new "loop maanger" API, - significantly changing the architecture of the task, timer and networking - systems for improved performance and code flow. :gl:`#3508` +- Worker threads' event loops are now managed by a new "loop manager" + API, significantly changing the architecture of the task, timer, and + networking subsystems for improved performance and code flow. + :gl:`#3508` Feature Changes ~~~~~~~~~~~~~~~ @@ -57,23 +58,24 @@ Feature Changes subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. :gl:`#3459` -- Zones using ``dnssec-policy`` now require dynamic DNS or - ``inline-signing`` to be configured explicitly :gl:`#3381`. +- Zones using :any:`dnssec-policy` now require dynamic DNS or + :any:`inline-signing` to be configured explicitly. :gl:`#3381` -- When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY - algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail - to sign the zone, but keep using NSEC for a little longer until the offending - DNSKEY records have been removed from the zone, then switch to using NSEC3. - :gl:`#3486` +- When reconfiguring :any:`dnssec-policy` from using NSEC with an + NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, + BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC + until the offending DNSKEY records have been removed from the zone, + then switches to using NSEC3. :gl:`#3486` -- Implement a backwards compatible approach for encoding the internationalized - domain names (IDN) in dig, and convert the domain to IDNA2008 form, and if - that fails try the IDNA2003 conversion. :gl:`#3485` +- A backward-compatible approach was implemented for encoding + internationalized domain names (IDN) in :iscman:`dig` and converting + the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 + conversion. :gl:`#3485` Bug Fixes ~~~~~~~~~ -- Fix a serve-stale bug, where BIND would try to return stale data from cache - for lookups that received duplicate queries or queries that would be dropped. - This bug resulted in premature SERVFAIL responses, and has now been resolved. - :gl:`#2982` +- A serve-stale bug was fixed, where BIND would try to return stale data + from cache for lookups that received duplicate queries or queries that + would be dropped. This bug resulted in premature SERVFAIL responses, + and has now been resolved. :gl:`#2982` From 41fdb42e9ca0f5fcd1d53a96abdfd37f82b71aba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 12:45:56 +0200 Subject: [PATCH 17/19] Add release note for GL #3410 --- doc/notes/notes-9.19.5.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-9.19.5.rst b/doc/notes/notes-9.19.5.rst index 4410801ec5..b9a539b555 100644 --- a/doc/notes/notes-9.19.5.rst +++ b/doc/notes/notes-9.19.5.rst @@ -46,6 +46,11 @@ Security Fixes New Features ~~~~~~~~~~~~ +- A new Response Policy Zone (RPZ) :ref:`option`, ``ede``, was + added. It enables an :rfc:`8914` Extended DNS Error (EDE) code of + choice to be set for responses which have been modified by a given + RPZ. :gl:`#3410` + - Worker threads' event loops are now managed by a new "loop manager" API, significantly changing the architecture of the task, timer, and networking subsystems for improved performance and code flow. From e46709eb07a2eff1dd5d4c4893090a2c6688a639 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 14:00:21 +0200 Subject: [PATCH 18/19] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index e094797b28..5a101aaa5b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.19.5 released --- + 5962. [security] Fix memory leak in EdDSA verify processing. (CVE-2022-38178) [GL #3487] From 5b2fed25f4f7d2c08b38c4d94193715cdbb2e038 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 14:00:21 +0200 Subject: [PATCH 19/19] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index b99be9adfc..6a4530972e 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 19)dnl m4_define([bind_VERSION_PATCH], 5)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl