diff --git a/CHANGES b/CHANGES index 37f40ec006..935cde2cc3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ + --- 9.14.3 released --- + +5244. [security] Fixed a race condition in dns_dispatch_getnext() + that could cause an assertion failure if a + significant number of incoming packets were + rejected. (CVE-2019-6471) [GL #942] + 5243. [bug] Fix a possible race between dispatcher and socket code in a high-load cold-cache resolver scenario. [GL #943] diff --git a/CONTRIBUTING b/CONTRIBUTING index 003a7c8593..288bcab915 100644 --- a/CONTRIBUTING +++ b/CONTRIBUTING @@ -1,3 +1,5 @@ +CONTRIBUTING + BIND Source Access and Contributor Guidelines Feb 22, 2018 diff --git a/HISTORY b/HISTORY index e56a44d443..90f3558388 100644 --- a/HISTORY +++ b/HISTORY @@ -1,3 +1,5 @@ +HISTORY + Functional enhancements from prior major releases of BIND 9 BIND 9.11 @@ -431,11 +433,11 @@ BIND 9.4.0 * Detect duplicates of UDP queries we are recursing on and drop them. New stats category "duplicates". * "USE INTERNAL MALLOC" is now runtime selectable. - * The lame cache is now done on a basis as some servers only appear to - be lame for certain query types. + * The lame cache is now done on a basis as some + servers only appear to be lame for certain query types. * Limit the number of recursive clients that can be waiting for a single - query () to resolve. New options clients-per-query and - max-clients-per-query. + query () to resolve. New options clients-per-query + and max-clients-per-query. * dig: report the number of extra bytes still left in the packet after processing all the records. * Support for IPSECKEY rdata type. diff --git a/OPTIONS b/OPTIONS index 340b53db67..811cf7c867 100644 --- a/OPTIONS +++ b/OPTIONS @@ -1,10 +1,12 @@ +OPTIONS + Setting the STD_CDEFINES environment variable before running configure can be used to enable certain compile-time options that are not explicitly defined in configure. Some of these settings are: -Setting Description + Setting Description Overwrite memory with tag values when allocating -DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but makes debugging of memory problems easier. diff --git a/PLATFORMS b/PLATFORMS index d670b7dad1..a5e3f274eb 100644 --- a/PLATFORMS +++ b/PLATFORMS @@ -1,3 +1,5 @@ +PLATFORMS + Supported platforms In general, this version of BIND will build and run on any POSIX-compliant @@ -64,31 +66,6 @@ These are platforms on which BIND 9.14 is known not to build or run: Platform quirks -ARM - -If the compilation ends with following error: - -Error: selected processor does not support `yield' in ARM mode - -You will need to set -march compiler option to native, so the compiler -recognizes yield assembler instruction. The proper way to set -march= -native would be to put it into CFLAGS, e.g. run ./configure like this: -CFLAGS="-march=native -Os -g" ./configure plus your usual options. - -If that doesn't work, you can enforce the minimum CPU and FPU (taken from -Debian armhf documentation): - - * The lowest worthwhile CPU implementation is Armv7-A, therefore the - recommended build option is -march=armv7-a. - - * FPU should be set at VFPv3-D16 as they represent the minimum - specification of the processors to support here, therefore the - recommended build option is -mfpu=vfpv3-d16. - -The configure command should look like this: - -CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure - NetBSD 6 i386 The i386 build of NetBSD requires the libatomic library, available from diff --git a/README b/README index ef8772dd0f..7796a709a4 100644 --- a/README +++ b/README @@ -1,3 +1,5 @@ +README + BIND 9 Contents @@ -152,6 +154,11 @@ BIND 9.14.2 BIND 9.14.2 is a maintenance release. +BIND 9.14.3 + +BIND 9.14.3 is a maintenance release, and addresses the security +vulnerability disclosed in CVE-2019-6471. + Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, @@ -181,7 +188,7 @@ make depend. If you're using Emacs, you might find make tags helpful. Several environment variables that can be set before running configure will affect compilation: -Variable Description + Variable Description CC The C compiler to use. configure tries to figure out the right one for supported systems. C compiler flags. Defaults to include -g and/or -O2 as @@ -333,7 +340,7 @@ development BIND 9 is included in the file CHANGES, with the most recent changes listed first. Change notes include tags indicating the category of the change that was made; these categories are: -Category Description + Category Description [func] New feature [bug] General bug fix [security] Fix for a significant security flaw @@ -384,21 +391,23 @@ Acknowledgments * The original development of BIND 9 was underwritten by the following organizations: - Sun Microsystems, Inc. - Hewlett Packard - Compaq Computer Corporation - IBM - Process Software Corporation - Silicon Graphics, Inc. - Network Associates, Inc. - U.S. Defense Information Systems Agency - USENIX Association - Stichting NLnet - NLnet Foundation - Nominum, Inc. + Sun Microsystems, Inc. + Hewlett Packard + Compaq Computer Corporation + IBM + Process Software Corporation + Silicon Graphics, Inc. + Network Associates, Inc. + U.S. Defense Information Systems Agency + USENIX Association + Stichting NLnet - NLnet Foundation + Nominum, Inc. * This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. http://www.OpenSSL.org/ + * This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) + * This product includes software written by Tim Hudson (tjh@cryptsoft.com) diff --git a/README.md b/README.md index d86ca4c7fd..633fc4546d 100644 --- a/README.md +++ b/README.md @@ -169,6 +169,11 @@ vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467. BIND 9.14.2 is a maintenance release. +#### BIND 9.14.3 + +BIND 9.14.3 is a maintenance release, and addresses the security +vulnerability disclosed in CVE-2019-6471. + ### Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 67be14eeb2..4b6bf0f156 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -584,11 +584,11 @@ A synonym for .RS 4 Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means \fBdig\fR -normally sends recursive queries\&. Recursion is automatically disabled when the +normally sends recursive queries\&. Recursion is automatically disabled when using the \fI+nssearch\fR -or +option, and when using \fI+trace\fR -query options are used\&. +except for an initial recursive query to get the list of root servers\&. .RE .PP \fB+retry=T\fR diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 268edd4713..4364f0583e 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -790,8 +790,10 @@ in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when - the +nssearch or - +trace query options are used. + using the +nssearch option, and + when using +trace except for + an initial recursive query to get the list of root + servers.

+retry=T
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index e88f9b9b41..23a3966762 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 46badf6bda..1d4f81dfad 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 6373b3b40c..60d6185eb0 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls { -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 42c214a8ef..cac854d5be 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 80f877d56f..aa19eafc82 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -14884,6 +14884,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 7286603025..018bbba71e 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 0ea543ff5b..31b6b9d481 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 74510a7548..e7f70cc642 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,15 +36,13 @@

Table of Contents

-
Release Notes for BIND Version 9.14.2
+
Release Notes for BIND Version 9.14.3
Introduction
Note on Version Numbering
Supported Platforms
Download
Security Fixes
-
New Features
-
Feature Changes
Bug Fixes
License
End of Life
@@ -54,7 +52,7 @@

-Release Notes for BIND Version 9.14.2

+Release Notes for BIND Version 9.14.3

@@ -136,56 +134,11 @@

Security Fixes

-
    -
  • -

    - In certain configurations, named could crash - with an assertion failure if nxdomain-redirect - was in use and a redirected query resulted in an NXDOMAIN from the - cache. This flaw is disclosed in CVE-2019-6467. [GL #880] -

    -
    • -
  • -

    - The TCP client quota set using the tcp-clients - option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. (CVE-2018-5743) [GL #615] -

    -
    • -
-
- -
-

-New Features

  • - The new add-soa option specifies whether - or not the response-policy zone's SOA record - should be included in the additional section of RPZ responses. - [GL #865] -

    -
-
- -
-

-Feature Changes

-
  • -

    - When trusted-keys and - managed-keys are both configured for the - same name, or when trusted-keys is used to - configure a trust anchor for the root zone and - dnssec-validation is set to the default - value of auto, automatic RFC 5011 key - rollovers will fail. -

    -

    - This combination of settings was never intended to work, - but there was no check for it in the parser. This has been - corrected; a warning is now logged. (In BIND 9.15 and - higher this error will be fatal.) [GL #868] + A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942]

@@ -195,12 +148,13 @@ Bug Fixes

  • - The allow-update and - allow-update-forwarding options were - inadvertently treated as configuration errors when used at the - options or view level. - This has now been corrected. - [GL #913] + When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded if minimization + were disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055]

@@ -272,6 +226,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 788fcd8817..4730eb7a65 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 016eff4376..a09ab0bc94 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 4a68685e25..09ade93d46 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -533,6 +533,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 550a6544e1..ca68dd1cf0 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 19038ba3ac..932d3160dd 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.14.2

+

BIND Version 9.14.3

Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")

@@ -242,15 +242,13 @@
A. Release Notes
-
Release Notes for BIND Version 9.14.2
+
Release Notes for BIND Version 9.14.3
Introduction
Note on Version Numbering
Supported Platforms
Download
Security Fixes
-
New Features
-
Feature Changes
Bug Fixes
License
End of Life
@@ -439,6 +437,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 37d4efe731..86e9eb8693 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index e10bbd83f9..509992b0bd 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 7074b1e2ec..9ae3ca95e6 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index a88fa99cf9..734635e23a 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -625,6 +625,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 09e852de64..b0bdd84dc0 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -808,8 +808,10 @@ in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when - the +nssearch or - +trace query options are used. + using the +nssearch option, and + when using +trace except for + an initial recursive query to get the list of root + servers.

+retry=T
@@ -1151,6 +1153,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index 72c4c49814..66181f1413 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 9caee46c42..84d7587921 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -150,6 +150,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 0680f8ca5e..698170caca 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 18b52a87f9..62da5a52ed 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -352,6 +352,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index aaba2ea026..18ef705fad 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 94e8f50132..4e99f3625f 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -498,6 +498,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 3390172e88..69c0aae644 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -557,6 +557,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index bfe13e0609..d75e526ac0 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -405,6 +405,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index fd4090c55d..6141f3b869 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 42249c531c..5e94bb4e69 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index c445d71933..12217e57e3 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -701,6 +701,6 @@ db.example.com.signed -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 0db8c70ee3..6ce0083e9e 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -202,6 +202,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 63ea15be81..a66a9316f3 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 3fc242c270..77efaa6d5e 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index ec47df0e54..8c9fad9a34 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index e68dfe6372..c15f72f625 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -604,6 +604,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 100f28dd67..993f59ea36 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -208,6 +208,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 0cf966dc25..eaa66586e5 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index bf280272e3..5fae663115 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 03755fd2a2..b84b0378b2 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 3ab51fce62..6bfb9c3a03 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 2487fe1ed4..c5a1c43b10 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -1075,6 +1075,6 @@ zone -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 74ddba5b34..3c8c02bc6e 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 32b75bfab9..e5d1d88faf 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 1156c7450d..c77c78de57 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10 -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index bc2b9816ec..5c93a66f29 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index dbc9003638..86a0ab04c8 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index e7fe4583ad..b6ccb4a56a 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index e3ea9eee94..7f2d469fe4 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index 61b4409cc6..320899e693 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 9d4fb03e6f..9f6c1f14fd 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 0b1e943844..9fd7fef2a5 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 81252c8daa..7ae1d1772c 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -1024,6 +1024,6 @@ -

BIND 9.14.2 (Stable Release)

+

BIND 9.14.3 (Stable Release)

diff --git a/doc/arm/notes.html b/doc/arm/notes.html index b86d99ddfa..e920f2ef9a 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

-Release Notes for BIND Version 9.14.2

+Release Notes for BIND Version 9.14.3

@@ -97,56 +97,11 @@

Security Fixes

-
    -
  • -

    - In certain configurations, named could crash - with an assertion failure if nxdomain-redirect - was in use and a redirected query resulted in an NXDOMAIN from the - cache. This flaw is disclosed in CVE-2019-6467. [GL #880] -

    -
    • -
  • -

    - The TCP client quota set using the tcp-clients - option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. (CVE-2018-5743) [GL #615] -

    -
    • -
-
- -
-

-New Features

  • - The new add-soa option specifies whether - or not the response-policy zone's SOA record - should be included in the additional section of RPZ responses. - [GL #865] -

    -
-
- -
-

-Feature Changes

-
  • -

    - When trusted-keys and - managed-keys are both configured for the - same name, or when trusted-keys is used to - configure a trust anchor for the root zone and - dnssec-validation is set to the default - value of auto, automatic RFC 5011 key - rollovers will fail. -

    -

    - This combination of settings was never intended to work, - but there was no check for it in the parser. This has been - corrected; a warning is now logged. (In BIND 9.15 and - higher this error will be fatal.) [GL #868] + A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942]

@@ -156,12 +111,13 @@ Bug Fixes

  • - The allow-update and - allow-update-forwarding options were - inadvertently treated as configuration errors when used at the - options or view level. - This has now been corrected. - [GL #913] + When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded if minimization + were disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055]

diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index effb146be1..aad8e07ba8 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index f349ef7dea..902a19fd8a 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.14.2 +Release Notes for BIND Version 9.14.3 Introduction @@ -52,38 +52,18 @@ operating systems. Security Fixes - * In certain configurations, named could crash with an assertion failure - if nxdomain-redirect was in use and a redirected query resulted in an - NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL - #880] - - * The TCP client quota set using the tcp-clients option could be - exceeded in some cases. This could lead to exhaustion of file - descriptors. (CVE-2018-5743) [GL #615] - -New Features - - * The new add-soa option specifies whether or not the response-policy - zone's SOA record should be included in the additional section of RPZ - responses. [GL #865] - -Feature Changes - - * When trusted-keys and managed-keys are both configured for the same - name, or when trusted-keys is used to configure a trust anchor for the - root zone and dnssec-validation is set to the default value of auto, - automatic RFC 5011 key rollovers will fail. - - This combination of settings was never intended to work, but there was - no check for it in the parser. This has been corrected; a warning is - now logged. (In BIND 9.15 and higher this error will be fatal.) [GL # - 868] + * A race condition could trigger an assertion failure when a large + number of incoming packets were being rejected. This flaw is disclosed + in CVE-2019-6471. [GL #942] Bug Fixes - * The allow-update and allow-update-forwarding options were - inadvertently treated as configuration errors when used at the options - or view level. This has now been corrected. [GL #913] + * When qname-minimization was set to relaxed, some improperly configured + domains would fail to resolve, but would have succeeded if + minimization were disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering the + problem. [GL #1055] License diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index eb29b4747f..ba129c5ad0 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -87,54 +87,11 @@
Security Fixes - - - In certain configurations, named could crash - with an assertion failure if nxdomain-redirect - was in use and a redirected query resulted in an NXDOMAIN from the - cache. This flaw is disclosed in CVE-2019-6467. [GL #880] - - - The TCP client quota set using the tcp-clients - option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. (CVE-2018-5743) [GL #615] - - - -
- -
New Features - - - - The new add-soa option specifies whether - or not the response-policy zone's SOA record - should be included in the additional section of RPZ responses. - [GL #865] - - - -
- -
Feature Changes - - - - When trusted-keys and - managed-keys are both configured for the - same name, or when trusted-keys is used to - configure a trust anchor for the root zone and - dnssec-validation is set to the default - value of auto, automatic RFC 5011 key - rollovers will fail. - - - This combination of settings was never intended to work, - but there was no check for it in the parser. This has been - corrected; a warning is now logged. (In BIND 9.15 and - higher this error will be fatal.) [GL #868] + A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942] @@ -144,12 +101,13 @@ - The allow-update and - allow-update-forwarding options were - inadvertently treated as configuration errors when used at the - options or view level. - This has now been corrected. - [GL #913] + When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded if minimization + were disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055] diff --git a/lib/dns/api b/lib/dns/api index 6ac470f629..aaa7206bab 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -9,6 +9,6 @@ # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 -LIBINTERFACE = 1308 +LIBINTERFACE = 1309 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index b6fdd52051..d090649b05 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -128,7 +128,7 @@ struct dns_dispentry { isc_task_t *task; isc_taskaction_t action; void *arg; - bool item_out; + bool item_out; dispsocket_t *dispsocket; ISC_LIST(dns_dispatchevent_t) items; ISC_LINK(dns_dispentry_t) link; @@ -3273,13 +3273,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { disp = resp->disp; REQUIRE(VALID_DISPATCH(disp)); - REQUIRE(resp->item_out == true); - resp->item_out = false; - ev = *sockevent; *sockevent = NULL; LOCK(&disp->lock); + + REQUIRE(resp->item_out == true); + resp->item_out = false; + if (ev->buffer.base != NULL) free_buffer(disp, ev->buffer.base, ev->buffer.length); free_devent(disp, ev); @@ -3424,6 +3425,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, isc_task_send(disp->task[0], &disp->ctlevent); } +/* + * disp must be locked. + */ static void do_cancel(dns_dispatch_t *disp) { dns_dispatchevent_t *ev; diff --git a/lib/isc/api b/lib/isc/api index 6ac470f629..0f0b939f06 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 LIBINTERFACE = 1308 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index f821a8a65a..879faac87f 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 LIBINTERFACE = 1306 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/version b/version index 1e5281e778..7af9ba0d43 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Stable Release)" MAJORVER=9 MINORVER=14 -PATCHVER=2 +PATCHVER=3 RELEASETYPE= RELEASEVER= EXTENSIONS=