diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index ad7a7c128a..5925f8ce4f 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.44.rst .. include:: ../changelog/changelog-9.18.43.rst .. include:: ../changelog/changelog-9.18.42.rst .. include:: ../changelog/changelog-9.18.41.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 2f32c5622c..9ff2fe7abe 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.18 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18 +.. include:: ../notes/notes-9.18.44.rst .. include:: ../notes/notes-9.18.43.rst .. include:: ../notes/notes-9.18.42.rst .. include:: ../notes/notes-9.18.41.rst diff --git a/doc/changelog/changelog-9.18.44.rst b/doc/changelog/changelog-9.18.44.rst new file mode 100644 index 0000000000..4118fa3858 --- /dev/null +++ b/doc/changelog/changelog-9.18.44.rst @@ -0,0 +1,53 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.44 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT + records. ``d556bde123`` + + Malformed BRID and HHIT records could trigger an assertion failure. + This has been fixed. + + ISC would like to thank Vlatko Kosturjak from Marlink Cyber for + bringing this vulnerability to our attention. :gl:`#5616` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Support compilation with cmocka 2.0.0+ ``184df12da4`` + + The `assert_in_range()` function was deprecated in favor of + `assert_int_in_range()` and `assert_uint_in_range()`. Add + compatibility shims for cmocka<2.0.0 and use the new functions. + :gl:`#5699` :gl:`!11438` + +Bug Fixes +~~~~~~~~~ + +- Allow glue in delegations with QTYPE=ANY. ``21ad0222b7`` + + When a query for type ANY triggered a delegation response, all + additional data was omitted from the response, including mandatory + glue. This has been corrected. :gl:`#5659` :gl:`!11368` + +- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid. + ``53cfe984e3`` + + A zone that is signed with NSEC3, opt-out enabled, and then + reconfigured to use NSEC, causes the zone to be published with missing + NSEC records. This has been fixed. :gl:`#5679` :gl:`!11402` + + diff --git a/doc/notes/notes-9.18.44.rst b/doc/notes/notes-9.18.44.rst new file mode 100644 index 0000000000..7dad690525 --- /dev/null +++ b/doc/notes/notes-9.18.44.rst @@ -0,0 +1,43 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.44 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix incorrect length checks for BRID and HHIT records. + :cve:`2025-13878` + + Malformed BRID and HHIT records could trigger an assertion + failure. This has been fixed. + + ISC would like to thank Vlatko Kosturjak from Marlink Cyber for + bringing this vulnerability to our attention. :gl:`#5616` + +Bug Fixes +~~~~~~~~~ + +- Allow glue in delegations with QTYPE=ANY. + + When a query for type ANY triggered a delegation response, all + additional data was omitted from the response, including mandatory + glue. This has been fixed. :gl:`#5659` + +- Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be + invalid. + + A zone that was signed with NSEC3, had opt-out enabled, and was then + reconfigured to use NSEC, was published with missing NSEC records. + This has been fixed. :gl:`#5679` + + diff --git a/lib/dns/rdata/generic/brid_68.c b/lib/dns/rdata/generic/brid_68.c index 11afb16e33..ac3bbb35ae 100644 --- a/lib/dns/rdata/generic/brid_68.c +++ b/lib/dns/rdata/generic/brid_68.c @@ -85,7 +85,7 @@ fromwire_brid(ARGS_FROMWIRE) { static isc_result_t towire_brid(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_brid); - REQUIRE(rdata->length >= 3); + REQUIRE(rdata->length > 0); UNUSED(cctx); diff --git a/lib/dns/rdata/generic/hhit_67.c b/lib/dns/rdata/generic/hhit_67.c index 8b51a82ddb..c0b57730e7 100644 --- a/lib/dns/rdata/generic/hhit_67.c +++ b/lib/dns/rdata/generic/hhit_67.c @@ -85,7 +85,7 @@ fromwire_hhit(ARGS_FROMWIRE) { static isc_result_t towire_hhit(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_hhit); - REQUIRE(rdata->length >= 3); + REQUIRE(rdata->length > 0); UNUSED(cctx);