upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 09:52:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

[v9_11] release notes

Browse source
This commit is contained in:
Evan Hunt 2016-12-28 19:44:48 -08:00
parent 7fa388dac3
commit ac424b61bb
1 changed files with 35 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
doc/arm/notes.xml
View file

@ -66,25 +66,51 @@
<itemizedlist>
<listitem>
<para>
Added the ability to specify the maximum number of records
permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk
with slave zones transferred from other parties, as described
in CVE-2016-6170. [RT #42143]
A coding error in the <option>nxdomain-redirect</option>
feature could lead to an assertion failure if the redirection
namespace was served from a local authoritative data source
such as a local zone or a DLZ instead of via recursive
lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could mishandle authority sections
with missing RRSIGs, triggering an assertion failure. This
flaw is disclosed in CVE-2016-9444. [RT #43632]
</para>
</listitem>
<listitem>
<para>
<command>named</command> mishandled some responses where
covering RRSIG records were returned without the requested
data, resulting in an assertion failure. This flaw is
disclosed in CVE-2016-9147. [RT #43548]
</para>
</listitem>
<listitem>
<para>
<command>named</command> incorrectly tried to cache TKEY
records which could trigger an assertion failure when there was
a class mismatch. This flaw is disclosed in CVE-2016-9131.
[RT #43522]
</para>
</listitem>
<listitem>
<para>
It was possible to trigger assertions when processing
responses containing an answer of type DNAME. This flaw is
responses containing answers of type DNAME. This flaw is
disclosed in CVE-2016-8864. [RT #43465]
</para>
</listitem>
<listitem>
<para>
Named incorrectly tried to cache TKEY records which could
trigger a assertion failure when there was a class mismatch.
This flaw is disclosed in CVE-2016-9131. [RT #43522]
Added the ability to specify the maximum number of records
permitted in a zone (<option>max-records #;</option>).
This provides a mechanism to block overly large zone
transfers, which is a potential risk with slave zones from
other parties, as described in CVE-2016-6170.
[RT #42143]
</para>
</listitem>
</itemizedlist>