upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 12:30:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add CHANGES and release note for [GL #3403]

Browse source 
(cherry picked from commit 54bcbe9a2af6332ce8ffb7190edf40533404c93d)
This commit is contained in:
Evan Hunt 2024-05-23 19:16:54 -07:00 committed by Nicki Křížek
parent 4bdd1bf4f3
commit cdff65122e
No known key found for this signature in database
GPG key ID: 01623B9B652A20A7
2 changed files with 31 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
CHANGES
View file

@ -1,3 +1,19 @@
6401. [security] An excessively large number of rrtypes per owner can
slow down database query processing, so a limit has been
placed on the number of rrtypes that can be stored per
owner (node) in a cache or zone database. This is
configured with the new "max-rrtypes-per-name" option,
and defaults to 100. (CVE-2024-1737)
[GL #3403] [GL #4548]
6400. [security] Excessively large rdatasets can slow down database
query processing, so a limit has been placed on the
number of records that can be stored per rdataset
in a cache or zone database. This is configured
with the new "max-records-per-type" option, and
defaults to 100. (CVE-2024-1737)
[GL #497] [GL #3405]
6399. [security] Malicious DNS client that sends many queries over
TCP but never reads responses can cause server to
respond slowly or not respond at all for other

15
doc/notes/notes-current.rst
View file

@ -19,6 +19,21 @@ Security Fixes
responses can cause server to respond slowly or not respond at all for other
clients. :cve:`2024-0760` :gl:`#4481`
- Excessively large resource record sets can be crafted to slow down
database processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and type in
a cache or zone database. The default is 100, but it can be tuned with
the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405`
An excessively large number of resource record types for a single owner name can
be crafted to slow down database processing. This has been addressed by adding
a configurable limit to the number of records that can be stored per name and
type in a cache or zone database. The default is 100, and can be tuned with
the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403`
ISC would like to thank Toshifumi Sakaguchi who independently discovered
and responsibly reported the issue to ISC. :gl:`#4548`
- Named could trigger an assertion failure when looking up the NS
records of parent zones as part of looking up DS records. This
has been fixed. :gl:`#4661`