Commit 6195f229 authored by Tinderbox User's avatar Tinderbox User

prep 9.11.6-P1

parent 57917049
--- 9.11.6-P1 released ---
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
......
......@@ -282,6 +282,11 @@ feature:
BIND 9.11.6 is a maintenance release, and also addresses the security
flaws disclosed in CVE-2018-5744, CVE-2018-5745, and CVE-2019-6465.
#### BIND 9.11.6-P1
BIND 9.11.6-P1 addresses the security vulnerability disclosed in
CVE-2018-5743.
### <a name="build"/> Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
......
......@@ -76,66 +76,12 @@
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
<command>named</command> could crash during recursive processing
of DNAME records when <command>deny-answer-aliases</command> was
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</para>
</listitem>
<listitem>
<para>
When recursion is enabled but the <command>allow-recursion</command>
and <command>allow-query-cache</command> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <command>allow-query</command>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</para>
</listitem>
<listitem>
<para>
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash if it managed a DNSSEC
security root with <command>managed-keys</command> and the
authoritative zone rolled the key to an algorithm not supported
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
<listitem>
<para>
<command>named</command> leaked memory when processing a
request with multiple Key Tag EDNS options present. ISC
would like to thank Toshifumi Sakaguchi for bringing this
to our attention. This flaw is disclosed in CVE-2018-5744.
[GL #772]
</para>
</listitem>
<listitem>
<para>
Zone transfer controls for writable DLZ zones were not
effective as the <command>allowzonexfr</command> method was
not being called for such zones. This flaw is disclosed in
CVE-2019-6465. [GL #790]
</para>
</listitem>
<listitem>
<para>
The TCP client quota set using the <command>tcp-clients</command>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</para>
</listitem>
</itemizedlist>
......@@ -145,55 +91,7 @@
<itemizedlist>
<listitem>
<para>
<command>named</command> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<command>root-key-sentinel no;</command> to
<filename>named.conf</filename>.
</para>
</listitem>
<listitem>
<para>
Added the ability not to return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned,
add <command>answer-cookie no;</command> to
<filename>named.conf</filename>. [GL #173]
</para>
<para>
<command>answer-cookie no</command> is only intended as a
temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the
same address is not expected to cause operational problems,
but the option to disable COOKIE responses so that all
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
mechanism, and should not be disabled unless absolutely
necessary.
</para>
</listitem>
<listitem>
<para>
Two new update policy rule types have been added
<command>krb5-selfsub</command> and <command>ms-selfsub</command>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
<itemizedlist>
<listitem>
<para>
<command>named</command> will now log a warning if the old
BIND now can be compiled against libidn2 library to add
IDNA2008 support. Previously BIND only supported IDNA2003
using (now obsolete) idnkit-1 library.
None.
</para>
</listitem>
</itemizedlist>
......@@ -203,37 +101,7 @@
<itemizedlist>
<listitem>
<para>
<command>dig +noidnin</command> can be used to disable IDN
processing on the input domain name, when BIND is compiled
with IDN support.
</para>
</listitem>
<listitem>
<para>
Multiple <command>cookie-secret</command> clause are now
supported. The first <command>cookie-secret</command> in
<filename>named.conf</filename> is used to generate new
server cookies. Any others are used to accept old server
cookies or those generated by other servers using the
matching <command>cookie-secret</command>.
</para>
</listitem>
<listitem>
<para>
The <command>rndc nta</command> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <command>-class</command>
option. [GL #105]
</para>
</listitem>
<listitem>
<para>
When compiled with IDN support, the <command>dig</command> and the
<command>nslookup</command> commands now disable IDN processing when
the standard output is not a tty (e.g. not used by human). The command
line options +idnin and +idnout need to be used to enable IDN
processing when <command>dig</command> or <command>nslookup</command>
is used from the shell scripts.
None.
</para>
</listitem>
</itemizedlist>
......@@ -243,27 +111,7 @@
<itemizedlist>
<listitem>
<para>
When a negative trust anchor was added to multiple views
using <command>rndc nta</command>, the text returned via
<command>rndc</command> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
</para>
</listitem>
<listitem>
<para>
<command>named</command> now rejects excessively large
incremental (IXFR) zone transfers in order to prevent
possible corruption of journal files which could cause
<command>named</command> to abort when loading zones. [GL #339]
</para>
</listitem>
<listitem>
<para>
<command>rndc reload</command> could cause <command>named</command>
to leak memory if it was invoked before the zone loading actions
from a previous <command>rndc reload</command> command were
completed. [RT #47076]
None.
</para>
</listitem>
</itemizedlist>
......
......@@ -8,6 +8,6 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 1100
LIBREVISION = 1
LIBAGE = 0
LIBINTERFACE = 1101
LIBREVISION = 0
LIBAGE = 1
......@@ -6,6 +6,6 @@ DESCRIPTION="(Extended Support Version)"
MAJORVER=9
MINORVER=11
PATCHVER=6
RELEASETYPE=
RELEASEVER=
RELEASETYPE=-P
RELEASEVER=1
EXTENSIONS=
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment