From d9dbb0d1044f42672fb7970bc0016f40b07d5756 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 11 Jun 2024 17:02:10 +0200 Subject: [PATCH] Tweak and reword release notes --- doc/notes/notes-9.18.28.rst | 86 +++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 42 deletions(-) diff --git a/doc/notes/notes-9.18.28.rst b/doc/notes/notes-9.18.28.rst index e30fc3b5c0..7772a068f6 100644 --- a/doc/notes/notes-9.18.28.rst +++ b/doc/notes/notes-9.18.28.rst @@ -15,55 +15,57 @@ Notes for BIND 9.18.28 Security Fixes ~~~~~~~~~~~~~~ -- Malicious DNS client that sends many queries over TCP but never reads - responses can cause server to respond slowly or not respond at all for other - clients. :cve:`2024-0760` :gl:`#4481` +- A malicious DNS client that sent many queries over TCP but never read + the responses could cause a server to respond slowly or not at all for + other clients. This has been fixed. :cve:`2024-0760` :gl:`#4481` -- Excessively large resource record sets can be crafted to slow down +- It is possible to craft excessively large resource records sets, which + have the effect of slowing down database processing. This has been + addressed by adding a configurable limit to the number of records that + can be stored per name and type in a cache or zone database. The + default is 100, which can be tuned with the new + :any:`max-records-per-type` option. :gl:`#497` :gl:`#3405` + + It is possible to craft excessively large numbers of resource record + types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in - a cache or zone database. The default is 100, but it can be tuned with - the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405` + a cache or zone database. The default is 100, which can be tuned with + the new :any:`max-types-per-name` option. :cve:`2024-1737` :gl:`#3403` - An excessively large number of resource record types for a single owner name can - be crafted to slow down database processing. This has been addressed by adding - a configurable limit to the number of records that can be stored per name and - type in a cache or zone database. The default is 100, and can be tuned with - the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403` + ISC would like to thank Toshifumi Sakaguchi who independently + discovered and responsibly reported the issue to ISC. :gl:`#4548` - ISC would like to thank Toshifumi Sakaguchi who independently discovered - and responsibly reported the issue to ISC. :gl:`#4548` +- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`) + could cause excessive CPU load, leading to a denial-of-service + condition. Support for SIG(0) message validation was removed from this + version of :iscman:`named`. :cve:`2024-1975` :gl:`#4480` -- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`) could - cause excessive CPU load, leading to a denial-of-service condition. - Support for SIG(0) message validation was removed from this version of - :iscman:`named`. :cve:`2024-1975` :gl:`#4480` +- Due to a logic error, lookups that triggered serving stale data and + required lookups in local authoritative zone data could have resulted + in an assertion failure. This has been fixed. :cve:`2024-4076` + :gl:`#4507` -- Due to a logic error, lookups that trigger serving stale data and require - lookups in local authoritative zone data may result in an assertion failure. - This has been fixed. :cve:`2024-4076` :gl:`#4507` - -- Named could trigger an assertion failure when looking up the NS - records of parent zones as part of looking up DS records. This - has been fixed. :gl:`#4661` +- When looking up the NS records of parent zones as part of looking up DS + records, it was possible for :iscman:`named` to trigger an assertion + failure if serve-stale was enabled. This has been fixed. :gl:`#4661` Bug Fixes ~~~~~~~~~ -- Potential data races were found in our DoH implementation related - to HTTP/2 session object management and endpoints set object - management after reconfiguration. These issues have been - fixed. :gl:`#4473` +- Potential data races were found in our DoH implementation, related to + HTTP/2 session object management and endpoints set object management + after reconfiguration. These issues have been fixed. :gl:`#4473` - ISC would like to thank Dzintars and Ivo from nic.lv for bringing - this to our attention. + ISC would like to thank Dzintars and Ivo from nic.lv for bringing this + to our attention. - Command-line options for IPv4-only (:option:`named -4`) and IPv6-only - (:option:`named -6`) modes are now respected for zone primaries, - :any:`also-notify` and :any:`parental-agents`. :gl:`#3472` + (:option:`named -6`) modes are now respected for zone :any:`primaries`, + :any:`also-notify`, and :any:`parental-agents`. :gl:`#3472` -- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if - ``add-soa`` was used. This has been fixed. :gl:`#3323` +- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, + if ``add-soa`` was used. This has been fixed. :gl:`#3323` - When a query related to zone maintenance (NOTIFY, SOA) timed out close to a view shutdown (triggered e.g. by :option:`rndc reload`), @@ -74,15 +76,15 @@ Bug Fixes connected TCP IPv4/IPv6 clients were not properly adjusted in certain failure scenarios. This has been fixed. :gl:`#4742` -- Some servers which couldn't be reached due EHOSTDOWN or ENETDOWN - conditions were incorrectly prioritized during server selection. - These are now properly handled as unreachable. :gl:`#4736` +- Some servers that could not be reached due to EHOSTDOWN or ENETDOWN + conditions were incorrectly prioritized during server selection. These + are now properly handled as unreachable. :gl:`#4736` -- When sending a TCP reset for a connection, on some systems - the libuv call may return an error code, which triggered an - assertion failure in `named`. This error condition is now - being dealt with in a more graceful manner, by logging the - incident and shutting down the connection. :gl:`#4708` +- On some systems the libuv call may return an error code when sending a + TCP reset for a connection, which triggers an assertion failure in + :iscman:`named`. This error condition is now dealt with in a more + graceful manner, by logging the incident and shutting down the + connection. :gl:`#4708` Known Issues ~~~~~~~~~~~~