RELNOTES 178 KB
Newer Older
1
                Internet Systems Consortium DHCP Distribution
2
3
                             Version 4.3.4
                             29 March 2016
Ted Lemon's avatar
Ted Lemon committed
4

5
                             Release Notes
Ted Lemon's avatar
Ted Lemon committed
6

7
                              NEW FEATURES
8

Shawn Routhier's avatar
Shawn Routhier committed
9
The major "theme" for ISC DHCP 4.3.x was to update the support for
10
11
DHCPv6 to include several of the features that have been available
for DHCPv4.  These include:
12

13
14
15
16
- Support the use of classes

- Support for on_commit, on_expiry and on_release statements

17
- Better logging of address assignments
18
19
20

- Support for using DHCPv6 relay options in expressions

21
This release also adds support for the standard DDNS as described in the
22
23
current RFCs as well as enhancing support for dynamically adding and removing
subclasses via OMAPI.
24

Evan Hunt's avatar
Evan Hunt committed
25
26
There are a number of DHCPv6 limitations and features missing in this
release, which will be addressed in the future:
David Hankins's avatar
David Hankins committed
27

Evan Hunt's avatar
Evan Hunt committed
28
- Only Solaris, Linux, FreeBSD, NetBSD, and OpenBSD are supported.
29

30
31
- DHCPv6 includes human-readable text in status code messages, in
  English.  A method to reconfigure or support other languages would
Shawn Routhier's avatar
Shawn Routhier committed
32
  be preferable.
David Hankins's avatar
David Hankins committed
33
34
35
36

- The "host-identifier" option is limited to a simple token.

- The client and server can only operate DHCPv4 or DHCPv6 at a time,
Shane Kerr's avatar
Shane Kerr committed
37
  not both.  To use both protocols simultaneously, two instances of the
David Hankins's avatar
David Hankins committed
38
  relevant daemon are required, one with the '-6' command line option.
39

Evan Hunt's avatar
Evan Hunt committed
40
41
42
For information on how to install, configure and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
43

Evan Hunt's avatar
Evan Hunt committed
44
45
ISC DHCP uses standard GNU configure for installation. Please review the
output of "./configure --help" to see what options are available.
46

Evan Hunt's avatar
Evan Hunt committed
47
48
49
The system has only been tested on Linux, FreeBSD, and Solaris, and may not
work on other platforms. Please report any problems and suggested fixes to
<dhcp-users@isc.org>.
David Hankins's avatar
David Hankins committed
50

51
52
53
54
ISC DHCP is open source software maintained by Internet Systems
Consortium.  This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).

55
56
			Changes since 4.3.4

57
58
- Fixed util/bindvar.sh error handling.
  [ISC-Bugs #41973]
59

60
61
62
63
- Correct error message in relay to use remote id length instead
  of circuit id length.
  [ISC-Bugs #42556]

64
65
66
67
			Changes since 4.3.4b1

- None

68
69
			Changes since 4.3.3

70
71
- Corrected a static analyzer warning in common/execute.c
  [ISC-Bugs #40374]
72

73
74
- ISC DHCP now follows the common convention to use the base name a
  program is invoked with (aka argv[0], vs. a builtin name) for
75
  logs. This should help differentiate syslog entries for DHCPv4 and
76
77
78
  DHCPv6 servers. You can define OLD_LOG_NAME in includes/site.h to
  keep the previous behavior.
  [ISC-Bugs #38692]
79

80
- The Linux packet filter code now correctly treats only the least significant
81
  12 bits in an inbound packet's TCI value as the VLAN id (per IEEE 802.1Q).
82
83
84
85
  Prior to this it was using the entire 16 bit value as the VLAN id and
  incorrectly discarding packets.  Thanks to Jiri Popelka at Red Hat for
  reporting this issue and supplying its patch.
  [ISC-Bugs #40591]
86

87
- Fixed several static analysis issues such as potential null
88
89
90
  references, unchecked strdup returns.  Thanks to Bill Parker (wp02855 at
  gmail dot com) who identified these issues and supplied patches to
  address them.
91
  [ISC-Bugs #40754]
92
  [ISC-Bugs #40823]
93

94
95
96
- Corrected compilation errors that prohibited building the server
  and its ATF unit tests when failover is disabled.
  [ISC-Bugs #40372]
97

98
99
100
101
- Added the lease address to the end of the debug level log message
  emitted when an existing lease is renewed within the dhcp-cache-threshold.
  Thanks to Nathan Neulinger at Missouri S&T for suggesting the change.
  [ISC-Bugs #40598]
102

103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
- Added dhcpv6 and delayed-ack to settings listed in the "Features:"
  section of the configure script output.  Additionally, all of the
  features reported on will now always show either a "yes" or "no"
  value.  Prior to this features left to their default setting would
  not show a value.
  [ISC-Bugs #40381]

- Added a parameter, authoring-byte-order, to the lease file. This value
  is automatically added to the top of new lease files by the server and
  indicates the internal byte order (big endian or little endian) of the
  server.  This permits lease files generated on a server with one form of
  byte order to be used on a server with the opposite form. Our thanks to
  Timothe Litt for calling this to our attention and for the suggestions
  he provided.
  [ISC-Bugs #38396]
118

119
- Fixed a small memory leak in the DHCPv6 version of the client code.
120
121
122
  This is unlikely to cause significant issues in actual use.
  [ISC-Bugs #40990]

123
124
125
126
- Corrected a few minor memory leaks in omapi's dereferencing of
  host objects. Thanks to Jiri Popelka at Red Hat for reporting
  the issue and supplying the patches.
  [ISC-Bugs #33990]
127
  [ISC-Bugs #41325]
128

129
130
131
132
133
134
135
136
137
- Cleaned up some of the Make infrastructure to make --with-libbind
  work better.  Though it still only works with an absolute path.
  [ISC-Bugs #39210]

- Made the embedded bind libraries able to be cross compiled
  (please refer to the bind9 documentation to learn how to cross
   compile DHCP and its bind library dependency).
  [ISC-Bugs #38836]

138
139
140
141
- Update the client code to better support getting IA_NAs and IA_PDs
  in the same packet, see RFC7550 for some discussion.
  [ISC-Bugs #40190]

142
! Update the bounds checking when receiving a packet.
143
144
145
  Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
  patch.
  [ISC-Bugs #41267]
146
  CVE: CVE-2015-8605
147

148
149
150
151
- When handling an incorrect command line for dhcpd, dhclient or dhcrelay
  print out a specific error message about the first error in addition
  to the usage string.  This may be disabled by editing includes/site.h.
  [ISC-Bugs #40321]
152
  [ISC-Bugs #41454]
153

154
155
156
157
158
159
160
- The configure script will now exit with an error message if it cannot find
  a GNU-style make tool (needed when building BIND libraries) or pkg-config
  (needed to locate ATF used for building unit tests). Prior to this the
  script would exit indicating success causing subsequent attempts to build
  the software to fail.
  [ISC-Bugs #40371]

161
- Properly terminate strings before passing them to regex and fix
162
  a boundary error when creating certain new data strings.
163
164
165
  Thanks to Andrey Jr. Melnikov for the bug report.
  [ISC-Bugs #41217]

166
167
168
169
170
171
- Option expressions, such as prepend and append, are now supported when
  running dhclient for IPv6.  Prior to this such statements in the
  client configuration file would be parsed but have no affect.  Thanks
  to Jiri Popelka at Red Hat for reporting the issue.
  [ISC-Bugs #39952]

172
173
174
175
176
- A failover primary server will now accept a binding status update from the
  secondary which transitions a lease from ACTIVE to ABANDONED. This accounts
  for instances in which a client declines a lease and only the secondary
  server receives it.  Prior to this the primary server would reject such an
  update as an "invalid state transition".
177
  [ISC_BUGS #25189]
178

179
180
181
182
- Properly allocate memory for a bpf filter.
  Thanks to Bill Parker (wp02855 at gmail dot com) who identified this issue.
  [ISC-Bugs #41485]

183
184
- Updated contrib/dhcp-lease-list.pl to handle garbage in the oui file better
  and to print out the hostnames a bit better.
185
  Thanks to Antoine Beaupré from Debian for the suggested patch.
186
187
  [ISC-Bugs #41288]

188
189
190
191
192
- The DHCPv6 server now handles long valid and preferred lease times better.
  Values that would cause the internal end time of the lease to wrap are
  modified to work as infinite.
  [ISC-Bugs #40773]

Francis Dupont's avatar
Francis Dupont committed
193
194
195
196
- Updated support for cross compiling by allowing the library archiver
  to be set at configure time via the environment variable 'AR'.
  [ISC-Bugs #41536]

197
198
199
200
201
202
- The server will now match DHCPv6 relayed clients to host declarations
  which include the "hardware" statement, if the relay connected to the
  client supplies the client's hardware address via client-linklayer-address
  option as per RFC 6939.
  [ISC-Bugs #40334]

203
204
205
206
207
- Allow a filename to be specified instead of /dev/random during
  configuration.  This is passed to the BIND configuration to allow
  for cross compilation.
  [ISC-Bugs #33835]

Shawn Routhier's avatar
Shawn Routhier committed
208
209
210
- Add more option definitions.
  [ISC-Bugs #40562]

211
212
213
214
- Correct outputting of long lines in the lease file when writing
  a lease that includes long strings in an execute statement.
  [ISC-Bugs #40994]

215
216
217
218
219
220
221
222
- The server will now correctly treat a lease as reserved when the client
  requests an infinite lease time (i.e. OxFFFFFFFF) and "infinite-is-reserved"
  is enabled.  Prior to this the server would halt.  In addition, corrections
  were made to the server to allow a lease's flags field to be set via omapi.
  Prior to this, the server, depending on the host architecture,  would
  incorrectly parse the new flags value from the omapi message.
  [ISC-Bugs #31179]

223
224
225
226
227
- ISC DHCP can now be configured and built from a directory other than
  the top level source directory. Note that "make distcheck" uses this
  feature.
  [ISC-Bugs #39262]

228
- Add support for RFC 3527 to dhcrelay.  A new, dhcrelay command line argument,
229
  "-U <interface>" enables the addition of a RFC 3527 compliant link selection
230
231
232
  suboption to the agent option added for clients directly connected to the
  relay.
  [ISC-Bugs #34875]
233
  [ISC-Bugs #41708]
234

235
236
237
238
239
- Add a new global DHCPv6 option, dhcpv6-set-tee-times, which when enabled
  instructs the server to calculate T1 and T2 as recommended in RFC 3315,
  Section 22.4.
  [ISC-Bugs #25687]

240
241
242
- Corrected minor Coverity issues.
  [ISC-Bugs #35144]

243
244
245
246
- Add support for RFC 7341 DHCPv4 over DHCPv6 with a new configuration
  option "--enable-dhcpv4o6". Note this feature requires DHCPv6 support
  and is not compatible with delayed-ack. Both client and server use 2
  processes which communicate over UDP on a pair of sockets. The new
247
  "-4o6 <port>" command line argument enables DHCPv4 over DHCPv6 support
248
249
250
251
  and specifies the consecutive ports to use for inter-process communication.
  Please look at doc/DHCPv4-over-DHCPv6 for more details.
  [ISC-Bugs #35711]

252
- Correct interface name formation when using DLPI under Solaris 11. As of
253
254
  Solaris 11, ethernet device files are located in "/dev/net".  The configure
  script has been modified to detect this situation and adjust the directory
255
256
  used accordingly. Thanks to Jarkko Torppa for reporting this issue and
  submitting a patch 
257
  [ISC-Bugs #37954]
258
  [ISC-Bugs #40752]
259

260
261
262
263
- Add a dereference call when handling an error condition while
  decoding a packet.
  [ISC-Bugs #41774]

264
265
266
- Add a new parameter, lease-id-format, to both dhcpd and dhclient. The
  parameter controls the format in which certain values are written to lease
  files.  Formats supported are octal - quoted string containing octal
267
268
  escapes, and hex - unquoted, colon separated hex digits.  Thanks to
  Jay Ford, University of Iowa for bringing the issue to our attention.
Jeremy C. Reed's avatar
Jeremy C. Reed committed
269
  [ISC-Bugs #26378]
270

271
272
273
! Add an option in site.h to limit the number of failover and control
  connections the server will accept.  By default this is 200.
  [ISC-Bugs #41845]
Shawn Routhier's avatar
Shawn Routhier committed
274
  CVE: CVE-2016-2774
275

276
			Changes since 4.3.3b1
277

278
279
- None

280
281
			Changes since 4.3.2

282
283
284
285
286
287
288
289
- The server now does a better check to see if it can allocate the memory
  for large blocks of v4 leases and should provide a slightly better error
  message.  Note well: the server pre-allocates v4 addresses, if you use
  a large range, such as a /8, the server will attempt to use a large
  amount of memory and may not start if there either isn't enough memory
  or the size exceeds what the code supports.
  [ISC-Bugs #38637]

290
291
292
293
294
295
296
297
298
299
- The server will now reject unicast Request, Renew, Decline, and Release
  messages from a client unless the server would have sent that client the
  dhcp6.unicast option.  This behavior is in compliance with paragraph 1 in
  each of the sections 18.2,1, 18.2.3, 18.2.6, and 18.2.7 of RFC 3315. Prior
  to this, the server would simply accept the messages.  Now, in order for
  the server to accept such a message, the server configuration must include
  the dhcp6.unicast option either globally or within the shared network to
  which the requested lease belongs. In other words, the server will map
  the first IA_XX address found within the client message to a shared-network
  and look for the presence of the unicast option there and then globally.
Thomas Markwalder's avatar
Thomas Markwalder committed
300
301
  Thanks to Jiri Popelka at Red Hat for this issue and his patch which
  inspired the fix.
302
  [ISC-Bugs #21235]
Shawn Routhier's avatar
Shawn Routhier committed
303

304
305
306
307
- The ATF (Automated Testing Framework) tools used for optional unit tests
  can now be built from its embedded sources in bind, solving the
  atf-run / atf-report issue with recent (>= 0.20) versions of ATF.
  The new configuration option is "./configure --with-atf=bind".
308
  [ISC-Bugs #38754, #39300]
309

310
311
312
313
314
315
- Corrected a compilation error introduced by the fix for ISC-Bugs #22806.
  On older linuxes that do not include the tpacket_auxdata structure don't
  bother allocating the cmsgbuf as it isn't necessary and we don't have
  a proper length for it.
  [ISC-Bugs #39209]

316
317
318
319
320
321
- Remove the dst directory.  This was replaced in 4.2.0 with the dst
  code from the Bind libraries but we continued to include it for
  backwards compatibility.  As we have now released 4.3.x it seems
  reasonable to remove it.
  [ISC-Buts #39019]

322
- Write out the DUID server id on startup in all cases, previously if it
323
  was read in from server-duid option in the config or lease files for
324
325
326
  DHCPv4 it would not be written to the new lease file.
  [ISC-Bugs #37791]

327
328
329
330
331
332
- When parsing dates for leases convert dates past 2038 to "never".
  This avoids problems with integer overflows in the date and time
  handling code for people that decide to use very large lease times
  or add a lease entry with a date far in the future.
  [ISC-Bugs #33056]

333
334
335
336
- Leave the siaddr field clear when sending a NACK as per RFC 2131
  table 3.
  [ISC-Bugs #38769]

337
338
339
340
341
- In the client don't send expired addresses to the script as part of
  the binding process.  Thanks to Sven Trenkel at Google for reporting
  the issue and suggesting the patch.
  [ISC-Bugs #38631]

342
343
344
345
- While parsing IPv6 addresses treat "add" as part of the address instead
  of as a token.
  [ISC-Bugs #39529]

346
347
348
349
350
351
352
353
- Add support for accessing the v4 lease queues (active, free etc) in a
  binary fashion instead of needing to walk through a linear list to
  insert, find or remove an entry from the queues.  In addition add a
  compile time option "--enable-binary-leases" to enable the new code
  or to continue using the old code.  The old code is the default.
  Thanks to Fernando Soto from BlueCat Networks for the patch.
  [ISC-Bugs #39078]

354
355
356
357
358
- Delayed-ack now works properly with Failover. Prior to this, bind updates
  post startup were being queued but never delivered. Among other things, this
  was causing leases to not transition from expired or released to free.
  [ISC-Bugs #31474]

359
360
361
362
- Clean up parsing of v6 lease files a bit to avoid infinite loops if the
  lease file is corrupt in certain ways.
  [ISC-Bugs #39760]

363
- Corrected a crash in dhclient that occurs during lease renewal if the
364
365
  client is performing its own DNS updates.  Thanks to Jiri Popelka at Red Hat
  for the bug report.
366
367
  [ISC-Bugs #38639]

368
369
370
371
372
- Corrected an issue in v6 lease file parsing. Prior to this, when encountering
  a lease with an address for which no configured pool exists, the server was
  declaring the lease file corrupt and incorrectly skipping over the subsequent
  entry in the file.  The server will now emit a log message indicating that
  no pool was found for the address (or prefix) and correctly resume parsing
373
  with the next entry in the lease file.  Our thanks to Michal Žejdl for
374
  reporting the issue.
375
376
  [ISC-Bugs #39314]

377
378
379
380
381
382
383
384
385
- Be more liberal in finding a subnet group associated with a static
  prefix.  When we added the class matching code for v6 we also added
  a requirement that the static prefix must be within a subnet the
  client was in, in order to find the proper statements.  We now
  look for a subnet based on the prefix, failing that on the static
  address for the client and failing that on the shared network
  itself.
  [ISC-Bugs #38329]

386
387
388
389
390
- Add a new action expression "parse_vendor_options", which can be used
  to parse a vendor-encapsualted-option received by the server based on
  the encoding specified by the vendor-option-space statement.
  [ISC-Bugs #36449]

391
392
393
394
395
- Enhance the PARANOIA patch to include fchown() the lease file to
  allow it to be manipulated after the server does a chown().
  Thanks to Jiri Popelka at Red Hat for the patch.
  [ISC-Bugs #36978]

396
397
398
399
400
401
- Relax the requirement that prefix pools must be within the subnet.
  This was added in as part of #32453 in order to avoid configuration
  mistakes but is being removed as prefixes aren't required to be
  within the same subnet and many people configure them in that fashion.
  [ISC-Bugs #40077]

402
403
- Fixed a server crash that could occur when the server attempts to remove
  the billing class from the last lease billed to a dynamic class after said
404
405
  class has been deleted.  Our thanks to Lasse Pesonen for reporting the
  issue.
406
407
  [ISC-Bugs #39978]

408
409
- LDAP Patches - Numerous small patches submitted by contributors have
  been applied to the contributed code which supplies LDAP support.
410
411
  In addition, two larger submissions have also been included.  The
  first adds support for IPv6 configuration and the second provides
412
413
414
  GSSAPI authentication. We would like to thank the following for their
  contributions (alphabetically):
    Alex Novak at SUSE
415
    Bill Parker (wp02855 at gmail dot com)
416
417
    Jiri Popelka at Red Hat
    Marius Tomaschewski at SUSE
418
    (william at adelaide.edu.au), The University of Adelaide
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
  [ISC-Bugs #39056]
  [ISC-Bugs #22742]
  [ISC-Bugs #24449]
  [ISC-Bugs #28545]
  [ISC-Bugs #29873]
  [ISC-Bugs #30183]
  [ISC-Bugs #30402]
  [ISC-Bugs #32217]
  [ISC-Bugs #32240]
  [ISC-Bugs #33176]
  [ISC-Bugs #33178]
  [ISC-Bugs #36409]
  [ISC-Bugs #36774]
  [ISC-Bugs #37876]

434
- Handle an out of memory condition in the client a bit better.
435
436
  Thanks to Frédéric Perrin from Brocade for finding the issue
  and suggesting a patch.
437
  [ISC-Bugs #39279]
438

439
			Changes since 4.3.2rc2
Shawn Routhier's avatar
Shawn Routhier committed
440
441
442
- None

			Changes since 4.3.2rc1
443
444
445
446
447
448
449

- Corrected a compilation error introduced by the fix for ISC-Bugs #37415.
  The error occurs on Linux variants that do not support VLAN tag information
  in packet auxiliary data.  The configure script now only enables inclusion
  of the VLAN tag-based logic if it is supported by the underlying OS.
  [ISC-Bugs #38677]

450
			Changes since 4.3.2b1
451

452
- Specifying the option, --disable-debug, on the configure script command line
453
  now disables debug features.  Prior to this, specifying --disable-debug
454
455
  incorrectly enabled debug features. Thanks to Gustavo Zacarias for reporting
  the issue.
456
  [ISC-Bugs #37780]
457

458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
- Unit test execution now uses a path augmented during configuration
  processing of the --with-atf option to locate ATF runtime tools, atf-run
  and atf-report. For most installations of ATF, this should alleviate the
  need to manually include them in the PATH, as was formerly required.
  If the configure script cannot locate the tools it will emit a warning,
  informing the user that the tools must be in the PATH when running unit
  tests.
  Secondly, please note that "make check" will now exit with a failure status
  code (non-zero) if one or more unit tests fail.  This means that invoking
  "make check" from an upper level directory will cause the make process to
  STOP after the first test subdirectory with failed test(s).  To force all
  tests in all subdirectories to run, regardless of individual test outcome,
  use the command "make -k check".
  [ISC-Bugs #38619]

473
			Changes since 4.3.1
474

475
476
477
- Corrected parser's right brace matching when a statement contains an error.
  [ISC-Bugs #36021]

478
- TSIG-authenticated dynamic DNS updates now support the use of these
479
480
  additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
  and hmac-sha512
481
482
  [ISC-Bugs #36947]

483
- Added check for invalid failover message type. Thanks to Tobias Stoeckmann
484
  working with the OpenBSD project who spotted the issue and provided the
485
  patch.
486
487
  [ISC-Bugs #36653]

488
- Corrected rate limiting checks for bad packet logging.  Thanks to Tobias
489
  Stoeckmann working with the OpenBSD project who spotted the issue and
490
  provided the patch.
491
492
  [ISC-Bugs #36897]

493
494
495
496
- Log statements depicting what files will be used by the server now occur
  after the configuration file has been processed.
  [ISC-Bugs #36671]

497
- Addressed Coverity issues reported as of 07-31-2014:
498
  [ISC-Bugs #36712] Corrects Coverity reported "high" impact issues.
499
  [ISC-Bugs #36933] Corrects Coverity reported "medium" impact issues
500
501
  [ISC-Bugs #37708] Fixes compilation error in dst_api.c seen in older
  compilers that was introduced by #36712
502

503
504
505
- Server now supports a failover split value of 256.
  [ISC-Bugs] #36664]

506
507
508
509
510
- Remove unneeded error #defines.  These defines were included in case
  external programs required the older versions of the macro.  They
  have been #ifdeffed for now and will be removed at a future date.
  See site.h for the #define to include them again, but you should
  switch to using the DHCP_R_* versions instead of the ISC_R_* versions.
Jeremy C. Reed's avatar
Jeremy C. Reed committed
511
  Also ISC_R_MULTIPLE has been removed as it is also defined in bind.
512
513
  [ISC-Bugs #37128]

514
- Added checks in range6 and prefix6 statement parsing to ensure addresses
515
516
  are within the declared subnet. Thanks to Jiri Popelka at Red Hat for the
  bug report and patch.
517
  [ISC-Bugs #32453]
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
  [ISC-Bugs #17766]
  [ISC-Bugs #18510]
  [ISC-Bugs #23698]
  [ISC-Bugs #28883]

- Addressed checksum issues:
  Added checksum readiness check to Linux packet filtering which eliminates
  invalid packet drops due to checksum errors when checksum offloading is
  in use.  Based on dhcp-4.2.2-xen-checksum.patch made to the Fedora project.
  [ISC-Bugs #22806]
  [ISC-Bugs #15902]
  [ISC-Bugs #17739]
  [ISC-Bugs #18010]
  [ISC-Bugs #22556]
  [ISC-Bugs #29769]
533
  Inbound packets with UDP checksums of 0xffff now validate correctly rather
534
  than being dropped.
535
536
537
538
539
540
541
542
543
544
  [ISC-Bugs #24216]
  [ISC-Bugs #25587]

- Added the echo-client-id configuration parameter to the server configuration.
  The server now supports RFC 6842 compliant behavior by setting a new
  configuration parameter, echo-client-id.  When enabled, the server will
  include the client identifier option (Option code 61) if received, in its
  responses.  The server identifier returned in NAKs (if enabled) will now
  be the globally defined value (if one) if the server cannot attribute the
  inbound request to a known subnet.
545
546
  [ISC-Bugs #35958]
  [ISC-Bugs #32545]
547

548
549
550
551
- Added support of the configuration parameter, use-host-decl-names, to
  BOOTP request handling.
  [ISC-Bugs #36233]

552
553
554
555
556
557
- Added logic to ignore the signal, SIGPIPE, which ensures write failures
  will be delivered as errors rather than as SIGPIPE signals on all OSs.
  Thanks to Marius Tomaschewski from SUSE who reported the issue and provided
  the patch upon which the fix is based.
  [ISC-Bugs #32222]

558
559
560
561
562
563
564
565
566
- In the failover code, handle the case of communications being interrupted
  when the servers are dealing with POTENTIAL-CONFLICT.  This patch allows
  the primary to accept the secondary moving from POTENTIAL-CONFLICT to
  RESOLUTION-INTERRUPTED as well as handling the bind update process better.
  In addition the code to resend update or update all requests has been
  modified to send requests more often.
  [ISC-Bugs #36810]
  [ISC-Bugs #20352]

567
568
569
570
571
572
573
574
575
576
577
578
579
- By default, the server will now choose the value to use in the forward DNS
  name from the following in order of preference:

    1. FQDN option if provided by the client
    2. Host name option if provided by the client
    3. Configured option host-name if defined

  As before, this may be overridden by defining ddns-hostname to the desired
  value (or expression).  In addition, the server logic has been extended to
  use the value of the host name declaration if use-host-decl-names is enabled
  and no other value is available.
  [ISC-Bugs #21323]

580
581
582
583
- DNS updates were being attempted when dhcp-cache-threshold enabled the use of
  the existing lease and the forward DNS name had not changed.  This has been
  corrected.
  [ISC-Bugs #37368]
584
  [ISC-Bugs #38686]
585

586
- Corrected an issue which caused dhclient to incorrectly form the result when
587
  prepending or appending to the IPv4 domain-search option, received from the
588
589
590
591
  server, when either of the values being combined contain compressed
  components.
  [ISC-Bugs #20558]

592
593
594
- Added the server-id-check parameter to the server configuration.
  This parameter allows run-time control over whether or not a server,
  participating in failover, verifies the dhcp-server-identifier option in
595
  DHCP REQUESTs against the server's id before processing the request.
596
597
  Formerly, enabling this behavior was done at compilation time through
  the use of the #define, SERVER_ID_CHECK, which has been removed from site.h
Jeremy C. Reed's avatar
Jeremy C. Reed committed
598
  The functionality is now only available through the new runtime parameter.
599
600
  [ISC-Bugs #37551]

601
602
603
604
605
606
607
608
609
- During startup, when the server encounters a lease whose binding state is
  FTS_BACKUP but whose pool has no configured failover peer, it will reset the
  lease's binding state to FTS_FREE.  This allows the leases to be reclaimed
  by the server after a pool's configuration has changed from failover to
  standalone. Prior to this such leases would remain stuck in the backup state
  making them unavailable for assignment.  Note this conversion will occur
  whether or not the server is compiled for failover.
  [ISC-Bugs #36960]

610
611
612
613
614
- Fixed a small issue in the treatment of hosts in the inform processing
  that could cause the response to an inform to include information from
  the wrong scope.  The two examples we've heard of are getting subnet
  instead of group information associated with a host entry, or getting
  global information instead of subnet if the host entry was built via
615
616
  omapi.  Thanks to Julien Soula at University of Lille for finding the
  bug and supplying a patch.
617
618
  [ISC-Bugs #35712]

619
620
621
622
623
- Avoid calling pool_timer() recursively from supersede_lease().  This could
  result in leases changing state incorrectly or delaying the running of the
  leae expiration code.
  [ISC-Bugs #38002]

624
625
626
627
628
629
- Move the check for a PID file and process to be before we rewrite the
  lease file.  This avoids the possibility of starting a second instance
  of a server which changes the current lease file confusing the first
  instance.  This check is only included if the admin hasn't disabled PID
  files.
  [ISC-Bugs #38078]
630
  [ISC-Bugs #38143]
631

632
633
634
635
636
- In the client code change the way preferred_life and max_life are printed
  for environment variables to be unsigned rather than signed.
  Thanks to Jiri Popelka at Red Hat for the bug report and patch.
  [ISC-Bugs #37084]

637
- Modified Linux packet handling such that packets received via VLAN are now
638
639
640
641
642
643
644
645
646
  seen only by the VLAN interface. Prior to this, such packets were seen by
  both the VLAN interface and its parent (physical) interface, causing the
  server to respond to both.  Note this remains an issue for non-Linux OSs.
  Thanks to Jiri Popelka at Red Hat for the patch.
  [ISC-Bugs #37415]
  [ISC-Bugs #37133]
  [ISC-Bugs #36668]
  [ISC-Bugs #36652]

647
648
649
650
651
652
653
654
655
656
- Log content has been changed to more directly suggest that admins should
  check for multiple IPv6 clients attempting to use the same DUID when only
  abandoned addresses are available.  Debug level logging will now emit counts
  of the total number of, in-use, and abandoned addresses in a shared subnet
  when the server finds no addresses available for a given DUID.  Lastly,
  threshold logging is now automatically disabled for shared subnets whose
  total number of possible addresses exceeds (2^64)-1.
  [ISC-Bugs #26376]
  [ISC-Bugs #38131]

657
658
659
660
661
662
663
664
665
- Added a global parameter, prefix-length-mode, which may be used to determine
  how the server uses a non-zero value for prefix-length supplied by clients
  when soliciting DHCPv6 prefixes.  The server supports selection modes of:
  ignore, prefer, exact, minimum and maximum which are described in detail in
  the server man pages.  The prior behavior of the server was to only offer a
  prefix whose length exactly matched the prefix-length value requested. If
  no such prefixes were available, the server returned a status of none
  available.  Note the default mode, "exact", provides this same behavior.
  [ISC-Bugs #36780]
666
  [ISC-Bugs #32228]
667

668
669
670
671
672
673
674
675
676
- Corrected inconsistencies in dhcrelay's setting the upper interface hop count
  limit such that it now sets it to 32 when the upstream address is a multicast
  address per RFC 3315 Section 20. Prior to this if the -u argument preceded
  the -l argument on the command line or if the same interface was specified
  for both; the logic to set the hop limit count for the upper interface was
  skipped.  This caused the hop count limit to be set to the default value
  (typically 1) in the outbound upstream packets.
  [ISC-Bugs #37426]

677
678
679
680
681
			Changes since 4.3.1b1

- Modify the linux and openwrt dhclient scripts to process information
  from a stateless request.  Thanks to Jiri Popelka at Red Hat for the
  bug report and patch.
682
  [ISC-Bugs #36102]
683

684
685
686
687
688
- Remove more unused RCSID tags.  These weren't noticed in 4.3 as
  the code isn't used anymore but we remove them here to keep the
  code consistent across versions.
  [ISC-Bugs #36451]

Shawn Routhier's avatar
Shawn Routhier committed
689
			Changes since 4.3.0
690

Shawn Routhier's avatar
Shawn Routhier committed
691
- Tidy up several small tickets.
692
693
  Correct parsing of DUID from config file, previously the LL type
  was put in the wrong place in the DUID string.
694
  [ISC-Bugs #20962]
695
696
697
698
699
700
701
  Add code to parse "do-forward-updates" as well as "do-forward-update"
  Thanks to Jiri Popelka at Red Hat.
  [ISC-Bugs #31328]
  Remove log_priority as it isn't currently used.
  [ISC-Bugs #33397]
  Increase the size of the buffer used for reading interface information.
  [ISC-Bugs #34858]
702

703
704
705
- Remove an extra set of the msg_controllen variable.
  [ISC-Bugs #21035]

706
707
708
709
710
- Add a more understandable error message if a configuration attempts
  to add multiple keys for a single zone.  Thanks to a patch from Jiri
  Popelka at Red Hat.
  [ISC-Bugs #31892]

711
712
713
- Fix some minor issues in the dst code.
  [ISC-Bugs #34172]

Shawn Routhier's avatar
Shawn Routhier committed
714
- Properly #ifdef functions so that the code can compile without NSUPDATE.
715
716
  [ISC-Bugs #35058]

717
718
719
720
- Update the partner's stos (start time of state, basically when we last
  heard from this partner) field when updating the state in failover.
  [ISC-Bugs #35549]

Shawn Routhier's avatar
Shawn Routhier committed
721
- Modify the overload processing to allow space for the remote agent ID.
722
723
724
725
726
  [ISC-Bugs #35569]
  Handle the ordering of the SUBNET_MASK option even if it is the last
  option in the list.
  [ISC-Bugs #24580]

727
728
729
- Remove the code that allows a server to follow RFC3315 instead of
  the subsequent errata from August 2010 when determining which IAs
  to include if no addresses will be assigned.
730
  [ISC-Bugs #28938]
731

732
733
- Remove unused RCSID tags.
  [ISC-Bugs #35846]
734

735
736
- Correct the v6 client timing code.  When doing the timing backoff
  for MRT limit it to MRD.
Shawn Routhier's avatar
Shawn Routhier committed
737
  Thanks to Jiri Popelka at Red Hat for the bug report and fix.
738
739
  [ISC-Bugs #21238

740
741
742
743
744
- Add a log entry when killing a client and remove the PID files
  when a server, relay or client are killed.
  [ISC-Bugs #16970]
  [ISC-Bugs #17258]

Shawn Routhier's avatar
Shawn Routhier committed
745
746
- Some minor cleanups in the client code.
  In addition to checking for dhcpc check for bootpc in the services list.
747
748
749
  [ISC-Bugs #18933]
  Correct the client code to only try to get a lease once when the
  given the "-1" argument.
Shawn Routhier's avatar
Shawn Routhier committed
750
  Thanks to Jiri Popelka at Red Hat for the bug report and fix.
751
752
753
754
755
756
757
758
759
  [ISC-Bugs #26735]
  When asked for the version don't send the output to syslog.
  [ISC-Bugs #29772]
  Add the next server information to the environment variables for
  use by the client script.  In order to avoid changing the client
  lease file the next server information isn't written to it.
  Thanks to Tomas Hozza at Red Hat for the suggestion and a prototype fix.
  [ISC-Bugs #33098]

Shawn Routhier's avatar
Shawn Routhier committed
760
- Several updates to the dhcp server code.
761
762
763
764
  When not in quiet mode print out the files being used.
  [ISC-Bugs #17551]
  As accessing some pid files may require privileges move the dropping
  of permission bits due to the paranoia patch to be after the pid code.
Shawn Routhier's avatar
Shawn Routhier committed
765
  Thanks to Jiri Popelka at Red Hat for the bug report and fix.
766
767
768
769
  [ISC-Bugs #25806]
  When processing a "--version" request don't output the version information
  to syslog.

Shawn Routhier's avatar
Shawn Routhier committed
770
- Add the "enable-log-pid" build option to the configure script.  When enabled
771
772
773
774
775
  this causes the client, server and relay programs to include the PID
  number in syslog messages.
  Thanks to Marius Tomaschewski for the suggestion and proto-patch.
  [ISC-Bugs #29713]

776
777
778
779
- Add a #define to specify the prefix length used when a client attempts
  to configure an address.  This can be modified by editing includes/site.h.
  By default it is set to 64.  While 128 might be a better choice it would
  also be a change for currently running systems, so we have left it at 64.
780
  [ISC-Bugs #DHCP-2]
781

782
783
784
785
786
787
788
- Add a run time option to the client "-df" to allow the administrator to
  point to a second lease file the client can search for a DUID.  This can
  be used to allow a v4 and a v6 instance of the client to share a DUID.
  The second file will only be searched if there isn't a DUID in the main
  lease file and the DUID will be written out to the main lease file.
  [ISC-Bugs #34886]

789
790
791
792
- Have the client fsync the lease file to avoid lease corruption if the
  client hibernates or otherwise shuts down.
  [ISC-Bugs #35894]

793
794
795
796
- Add a check for L2VLAN in bpf.c to help support VLAN interfaces
  Thanks to Steinar Haug for the suggestion.
  [ISC-Bugs #36033]

797
798
799
800
- Modify the handling of the resolv.conf file to allow the DHCP
  process to start up even if the resolv.conf file has problems.
  [ISC-Bugs #35989]

Shawn Routhier's avatar
Shawn Routhier committed
801
- Add threshold logging functionality.  Two new options,
802
803
804
805
806
  log-threshold-low and log-threshold-high, indicate to the
  server if and when it should log an error message as addresses
  in a pool are used.
  [ISC-Bugs #34487]

807
808
- Add code to properly dereference a pointer in the dhclient code
  on an error condition.
809
  [ISC-Bugs #36194]
810

811
812
813
- Add code to help clean up soft leases.
  [ISC-Bugs #36304]

814
815
816
817
- Disable the gentle shutdown functionality until we can determine
  the best way to present it to remove or reduce the side effects.
  [ISC-Bugs #36066]

818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
			Changes since 4.3.0rc1

- None
			Changes since 4.3.0b1

- Tidy up receive packet processing.
  Thanks to Brad Plank of GTA for reporting the issue and suggesting
  a possible patch.
  [ISC-Bugs #34447]

			Changes since 4.3.0a1

- Modify the message displayed when a process hits a fatal error.
  The new message is much shorter and simply points to the README
  and our website for directions on bug submissions.
  [ISC-Bugs #24789]

- Handle an absent resolv.conf file better.
  [ISC-Bugs #35194]

838
			Changes since 4.2.0 (new features)
839
840
841
842
843
844
845

- If a client renews before 'dhcp-cache-threshold' percent of its lease
  has elapsed (default 25%), the server will reuse the allocated lease
  (provide a lease within the currently allocated lease-time) rather
  than extend or renew the lease.  This absolves the server of needing
  to perform an fsync() operation on the lease database before reply,
  which improves performance. [ISC-Bugs #22228]
Shawn Routhier's avatar
Shawn Routhier committed
846
  Updated this patch to support asynchronous DDNS.  If the server is
Jeremy C. Reed's avatar
Jeremy C. Reed committed
847
  attempting to do DDNS on a lease it should be updated and written to
848
  disk even if that wouldn't be necessary due to the thresholding.
Shawn Routhier's avatar
Shawn Routhier committed
849
  [ISC-Bugs #26311]
850

851
852
853
854
- The 'no available billing' log line now also logs the name of the last
  matching billing class tried before failing to provide a billing.
  [ISC-Bugs #21759]

855
856
857
858
- A problem with missing get_hw_addr function when --enable-use-sockets
  was used is now solved on GNU/Linux, BSD and GNU/Hurd systems. Note
  that use-sockets feature was not tested on those systems. Client and
  server code no longer use MAX_PATH constant that is not defined on
Shawn Routhier's avatar
Shawn Routhier committed
859
  GNU/Hurd systems. [ISC-Bugs #25979]
860

Shawn Routhier's avatar
Shawn Routhier committed
861
862
863
864
865
866
867
- Add a perl script in the contrib directory, dhcp-lease-list.pl, which
  can parse v4 lease files and output the lease information in a more
  human friendly manner.  This was written by Christian Hammers with
  some updates by vom and ISC.  This is contributed code and is not
  supported by ISC; however it may be useful to some users.
  [ISC-Bugs #20680]

Shawn Routhier's avatar
Shawn Routhier committed
868
- Add support in v6 for on-commit, on-expire and on-release.
869
  [ISC-Bugs #27912]
Shawn Routhier's avatar
Shawn Routhier committed
870

Shawn Routhier's avatar
Shawn Routhier committed
871
872
873
- Add support for using classes with v6.
  [ISC-Bugs #26510]

Shawn Routhier's avatar
Shawn Routhier committed
874
875
876
877
878
879
880
- Update the DDNS code to current standards and allow for sharing
  of DDNS entries between v4 and v6 clients.  The new code is used
  if the ddns-update-style is set to "standard", the older code is
  still available if ddns-update-style is set to "interim".  The
  oldest DDNS code "ad-hoc" has been removed.  Thanks to Thomas Pegeot
  who submitted a patch for this issue.  This patch is based on
  that work with some modifications.
881
  [ISC-Bugs #21139]
Shawn Routhier's avatar
Shawn Routhier committed
882

883
884
885
886
887
888
- Add a configuration option to the server to suppress using fsync().
  Enabling this option will mean that fsync() is never called.  This
  may provide better performance but there is also a risk that a lease
  will not be properly written to the disk after it has been issued
  to a client and before the server stops.  Using this option is
  not recommended.
889
  [ISC-Bugs #34810]
890

891
892
893
894
895
896
897
- Add some logging statements to indicate when the server is ready
  to serve.  One statement is emitted after the server has finished
  reading its files and is about to enter the dispatch loop.
  This is "Server starting service.".
  The second is emitted when a server determines that both it and
  its failover peer are in the normal state.
  This is "failover peer <name>: Both servers normal."
898
  [ISC-Bugs #33208]
899

900
901
902
- Add support for accessing options from v6 relays.  The v6relay
  statement allows the administrator to choose which relay to
  use when searching for an option, see the dhcp-options man page
Shawn Routhier's avatar
Shawn Routhier committed
903
904
  for a description.  The host-identifier option has also been
  updated to support the use of relay options, see the dhcpd.conf
905
906
907
  man page for a description.
  [ISC-Bugs #19598]

908
- When doing DDNS if there isn't an appropriate zone statement attempt
Shawn Routhier's avatar
Shawn Routhier committed
909
  to find a reasonable nameserver via a DNS resolver.  This restores
910
911
912
913
914
915
  some functionality that was lost in the transition to asynchronous
  DDNS.  Due to the lack of security and increase in fragility of the
  system when using this feature we strongly recommend the use of
  appropriate zone statements rather than using this functionality.
  [ISC-Bugs #30461]

916
917
918
919
920
- Add support for specifying the address from which to send
  DDNS updates on the DHCP server.  There are two new options
  "ddns-local-address4" and "ddns-local-address6" that each take
  one instance of their respective address types.
  [ISC-Bugs #34779]
921

Shawn Routhier's avatar
Shawn Routhier committed
922
923
924
925
- Add ignore-client-uids option in the server.  This option causes
  the server to not record a client's uid in its lease.  This
  violates the specification but may also be useful when a client
  can dual boot using different client ids but the same mac address.
Shawn Routhier's avatar
Shawn Routhier committed
926
  Thank you to Brian De Wolf at Cal Poly Pomona for the patch.
Shawn Routhier's avatar
Shawn Routhier committed
927
928
  [ISC-Bugs #32427]
  [ISC-Bugs #35066]
929
930
931
932
933
934

- Extend the DHCPINFORM processing to honor the subnet selection option
  and take host declarations into account.
  Thanks to Christof Chen for testing and submitting the patch.
  [ISC-Bugs #35015]

935
936
937
938
- Extend the hardware expression to look into the lease structure
  for a hardware address if there is no packet.  This allows the
  server to find the hardware address during on-expiry processing.
  [ISC-Bugs #24584]
939

940
941
- Add definitions for some options that have been specified by the IETF.
  [ISC-Bugs #29268]
942
  [ISC-Bugs #35198]
943

944
			Changes since 4.2.0 (bug fixes)
945

946
947
- When using 'ignore client-updates;', the FQDN returned to the client
  is no longer truncated to one octet.
948

949
- Cleaned up an unused hardware address variable in nak_lease().
950

951
952
- Manpage entries for the ia-pd and ia-prefix options were updated to
  reflect support for prefix delegation.
953

954
- Cleaned up some compiler warnings
955

956
957
958
959
960
961
- An optimization described in the failover protocol draft is now included,
  which permits a DHCP server operating in communications-interrupted state
  to 'rewind' a lease to the state most recently transmitted to its peer,
  greatly increasing a server's endurance in communications-interrupted.
  This is supported using a new 'rewind state' record on the dhcpd.leases
  entry for each lease.
Shawn Routhier's avatar
Shawn Routhier committed
962

963
- Fix the trace code which was broken by the changes to the DDNS code.
964

965
966
- Update the fsync code to work with the changes to the DDNS code.  It now
  uses a timer instead of noticing if there are no more packets to process.
967

968
969
970
971
- When constructing the DNS name structure from a text string append
  the root to relative names.  This satisfies a requirement in the DNS
  library that names be absolute instead of relative and prevents DHCP
  from crashing.  [ISC-Bugs #21054]
972

973
974
975
976
977
978
979
980
981
- "The LDAP Patch" that has been circulating for some time, written by
  Brian Masney and S.Kalyanasundraram and maintained for application to
  the DHCP-4 sources by David Cantrell has been included.  Please be
  advised that these sources were contributed, and do not yet meet the
  high standards we place on production sources we include by default.
  As a result, the LDAP features are only included by using a compile-time
  option which defaults off, and if you enable it you do so under your
  own recognizance.  We will be improving this software over time.
  [ISC-Bugs #17741]
Shawn Routhier's avatar
Shawn Routhier committed
982

983
984
- Prohibit including lease time information in a response to a DHCP INFORM.
  [ISC-Bugs #21092]
Shawn Routhier's avatar
Shawn Routhier committed
985

986
987
988
989
! Accept a client id of length 0 while hashing.  Previously the server would
  exit if it attempted to hash a zero length client id, providing attackers
  with a simple denial of service attack.  [ISC-Bugs #21253]
  CERT: VU#541921 - CVE: CVE-2010-2156
Shawn Routhier's avatar
Shawn Routhier committed
990

991
- A memory leak in ddns processing was closed.  [ISC-Bugs #21377]
Shawn Routhier's avatar
Shawn Routhier committed
992

993
994
995
996
997
- Modify the exception handling for initial context creation.  Previously
  we would try and clean up before exiting.  This could present problems
  when the cleanup required part of the context that wasn't available.  It
  also didn't do much as we exited afterwards anyway.   Now we simply log
  the error and exit. [ISC-Bugs #21093]
Shawn Routhier's avatar
Shawn Routhier committed
998

999
1000
1001
1002
1003
- A bug was fixed that could cause the DHCPv6 server to advertise/assign a
  previously allocated (active) lease to a client that has changed subnets,
  despite being on different shared networks.  Dynamic prefixes specifically
  allocated in shared networks also now are not offered if the client has
  moved.  [ISC-Bugs #21152]
Shawn Routhier's avatar
Shawn Routhier committed
1004

1005
- Add some debugging output for use with the DDNS code. [ISC-Bugs #20916]
Shawn Routhier's avatar
Shawn Routhier committed
1006

1007
1008
- Fix the trace code to handle timing events better and to truncate a file
  before using instead of overwriting it.  [ISC-Bugs #20969]
Shawn Routhier's avatar
Shawn Routhier committed
1009

1010
1011
1012
1013
1014
1015
- Modify the determination of the default TTL to use for DDNS updates.
  The user may still configure the ttl via ddns-ttl.  The default for
  both v4 and v6 is now 1/2 the (preferred) lease time with a limit.  The
  previous defaults (1/2 lease time without a limit for v4 and a default
  value for v6) may be used by defining USE_OLD_DDNS_TTL in site.h
  [ISC-Bugs #21126]
Shawn Routhier's avatar
Shawn Routhier committed
1016

1017
1018
- libisc/libdns is now brought up to version 9.7.1rc1.  This corrects
  three reported flaws in ISC DHCP;
Shawn Routhier's avatar
Shawn Routhier committed
1019

1020
1021
  o DHCP processes (dhcpd, dhclient) fail to start if one of either the
    IPv4 or IPv6 address families is not present.  [ISC-Bugs #21122]
1022

1023
1024
  o Assertion failure when attempting to cancel a previously running DDNS
    update.  [ISC-Bugs #21133]
1025

1026
1027
  o Compilation failure of libisc/libdns due to the use of a flexible
    array member.  [ISC-Bugs #21316]
1028

1029
- Add declaration for variable in debug code in alloc.c.  [ISC-Bugs #21472]
1030

1031
1032
1033
1034
1035
1036
- Documentation cleanup covering multiple tickets
  [ISC-Bugs #20265] [ISC-Bugs #20259] minor cleanup
  [ISC-Bugs #20263] add text describing some default values
  [ISC-Bugs #20193] single quotes at the start of a line indicate a control
  line to nroff, escape them if we actually want a quote.
  [ISC-Bugs #18916] sync the pointer to web pages amongst the different docs
1037

1038
1039
1040
1041
1042
1043
- 'get-host-names true;' now also works even if 'use-host-decl-names true;'
  was also configured.  The nature of this repair also fixes another
  error; the host-name supplied by a client is no longer overridden by a
  reverse lookup of the lease address.  Thanks to a patch from Wilco Baan
  Hofman supplied to us by the Debian package maintenance team.
  [ISC-Bugs #21691] {Debian Bug#509445}
1044

1045
1046
1047
- The .TH tag for the dhcp-options manpage was typo repaired
  thanks to a report from jidanni and the Debian package maintenance
  team.  [ISC-Bugs #21676] {Debian Bug#563613}
1048

1049
1050
1051
1052
- More documentation changes - primarily to put the options in the dhclient
  and dhcpd man pages into the standard form.  Thanks in part to a patch
  from David Cantrell at Red Hat.
  [ISC-Bugs #20264] and parts of [ISC-Bugs #17744] dhclient.8 changes
1053

1054
1055
- Add code to clear the pointer to an object in an OMAPI handle when the
  object is freed due to a dereference.  [ISC-Bugs #21306]
Shawn Routhier's avatar
Shawn Routhier committed
1056

1057
1058
1059
- Fixed a bug that leaks host record references onto lease structures,
  causing the server to apply configuration intended for one host to any
  other innocent clients that come along later.  [ISC-Bugs #22018]
Shawn Routhier's avatar
Shawn Routhier committed
1060

1061
1062
1063
1064
1065
1066
1067
- Minor code fixes
  [ISC-Bugs #19566] When trying to find the zone for a name for ddns allow
  the name to be at the apex of the zone.
  [ISC-Bugs #19617] Restrict length of interface name read from command line
  in dhcpd - based on a patch from David Cantrell at Red Hat.
  [ISC-Bugs #20039] Correct some error messages in dhcpd.c
  [ISC-Bugs #20070] Better range check on values when creating a DHCID.
1068
  [ISC-Bugs #20198] Avoid writing past the end of the field when adding
1069
1070
1071
1072
1073
  overly long file or server names to a packet and add a log message
  if the configuration supplied overly long names for these fields.
  Thanks to Martin Pala.
  [ISC-Bugs #21497] Add a little more randomness to rng seed in client
  thanks to a patch from Jeremiah Jinno.
Shawn Routhier's avatar
Shawn Routhier committed
1074

1075
- Correct error handling in DLPI [ISC-Bugs #20378]
Shawn Routhier's avatar
Shawn Routhier committed
1076

1077
1078
- Remove __sun__ and __hpux__ typedefs in osdep.h as they are now being
  checked in configure.  [ISC-Bugs #20443]
Shawn Routhier's avatar
Shawn Routhier committed
1079

1080
1081
- Modify how the cmsg header is allocated the v6 send and received routines
  to compile on more compilers.  [ISC-Bugs #20524]
Shawn Routhier's avatar
Shawn Routhier committed
1082

1083
1084
- When parsing a domain name free the memory for the name after we are
  done with it.  [ISC-Bugs #20824]
1085

1086
1087
1088
- Add an elapsed time option to the release message and refactor the
  code to move most of the common code to a single routine.
  [ISC-Bugs #21171].
1089

1090
1091
- Two identical log messages for commit_leases() have been disambiguated.
  [ISC-Bugs #18915]
1092

1093
1094
1095
- Parse date strings more properly - the code now handles semi-colons in
  date strings correctly.  Thanks to a patch from Jiri Popelka at Red Hat.
  [ISC-Bugs #21501, #20598]
1096

1097
1098
1099
1100
1101
1102
1103
- Fixes to lease input and output.
  [ISC-Bugs #20418] - Some systems don't support the "%s" argument to
  strftime, paste together the same string using mktime instead.
  [ISC-Bugs #19596] - When parsing iaid values accept printable
  characters.
  [ISC-Bugs #21585] - Always print time values in omshell as hex
  instead of ascii if the values happen to be printable characters.
1104

1105
1106
1107
1108
1109
1110
1111
- Minor changes for scripts, configure.ac and Makefiles
  [ISC-Bugs #19147] Use domain-search instead of domain-name in manual and
                    example conf file.  Thanks to a patch from David Cantrell
                    at Red Hat.
  [ISC-Bugs #19761] Restore address when doing a rebind in DHCPv6
  [ISC-Bugs #19945] Properly close the quote on some arguments.
  [ISC-Bugs #20952] Add 64 bit types to configure.ac
Jeremy C. Reed's avatar
Jeremy C. Reed committed
1112
  [ISC-Bugs #21308] Add "PATH=" to CLIENT_PATH environment variable
1113

1114
1115
1116
1117
- Update the code to parse dhcpv6 lease files to accept a semi-colon at
  the end of the max-life and preferred-life clauses.  In order to be
  backwards compatible with older lease files not finding a semi-colon
  is also accepted.  [ISC-Bugs #22303].
1118

1119
1120
1121
1122
! Handle a relay forward message with an unspecified address in the
  link address field.  Previously such a message would cause the
  server to crash.  Thanks to a report from John Gibbons.  [ISC-Bugs #21992]
  CERT: VU#102047 CVE: CVE-2010-3611
1123

1124
1125
1126
- ./configure on longer searches for -lcrypto to explicitly link against.
  This fixes a bug where 'dhclient' would have shared library dependencies
  on '/usr/lib'.  [ISC-Bugs #21967]
1127

1128
1129
1130
1131
1132
- Handle pipe failures more gracefully.  Some OSes pass a SIGPIPE
  signal to a process and will kill the process if the signal isn't
  caught.  This patch adds code to turn off the SIGPIPE signal via
  a setsockopt() call.  The signal is already being ignored as part
  of the ISC library.  [ISC-Bugs #22269]
1133

1134
1135
1136
1137
1138
- Restore printing of values in omshell to the style pre 21585.  For
  21585 we changed the print routines to always display time values
  as a hex list.  This had a side effect of printing all data strings
  as a hex list.  We shall investigate other ways of displaying time
  values more usefully.  [ISC-Bugs #22626]
Shawn Routhier's avatar
Shawn Routhier committed
1139

1140
1141
1142
1143
1144
! Fix the handling of connection requests on the failover port.
  Previously a connection request from a source that wasn't
  listed as a failover peer would cause the server to become
  non-responsive.  Thanks to a report from Brad Bendily, brad@bendily.com.
  [ISC-Bugs #22679]
1145
  CERT: VU#159528 CVE: CVE-2010-3616
1146

1147
1148
1149
- Don't pass the ISC_R_INPROGRESS status to the omapi signal handlers.
  Passing it through to the handlers caused the omshell program to fail
  to connect to the server.  [ISC-Bugs #21839]
1150

Jeremy C. Reed's avatar
Jeremy C. Reed committed
1151
- Fix the parenthesis in the code to process configuration statements
1152
1153
  beginning with "auth".  The previous arrangement caused
  "auto-partner-down" to be processed incorrectly.  [ISC-Bugs #21854]
1154

1155
1156
1157
- Limit the timeout period allowed in the dispatch code to 2^^32-1 seconds.
  Thanks to a report from Jiri Popelka at Red Hat.
  [ISC-Bugs #22033], [Red Hat Bug #628258]
1158

1159
1160
1161
1162
1163
- When processing the format flags for a given option consume the
  flag indicating an optional value correctly.  A symptom of this
  bug was an infinite loop when trying to parse the slp-service-scope
  option.  Thanks to a patch from Marius Tomaschewski.
  [ISC-Bugs #22055]
1164

1165
1166
1167
1168
- Disable the use of kqueue in the ISC library.  This avoids a problem
  between the fork and socket code that caused the dhcpd process to
  use all available cpu if the program daemonized itself.
  [ISC-Bugs #21911]
1169

1170
1171
1172
1173
1174
1175
1176
! When processing a request in the DHCPv6 server code that specifies
  an address that is tagged as abandoned (meaning we received a
  decline request for it previously) don't attempt to move it from
  the inactive to active pool as doing so can result in the server
  crashing on an assert failure.  Also retag the lease as active
  and reset its timeout value.
  [ISC-Bugs #21921]
1177

1178
1179
1180
1181
- Removed the restriction on using IPv6 addresses in IPv4 mode.  This
  allows IPv4 options which contain IPv6 addresses to be specified.  For
  example the 6rd option can be specified and used like this:
  [ISC-Bugs #23039]
1182

1183
1184
1185
	option 6rd code 212 = { integer 8, integer 8,
				ip6-address, array of ip-address };
	option 6rd 16 10 2001:: 1.2.3.4, 5.6.7.8;
1186

1187
1188
- Handle some DDNS corner cases better.  Maintain the DDNS transaction
  information when updating a lease and cancel any existing transactions
1189
  when removing the ddns information.
1190
  [ISC-Bugs #23103]
1191

1192
1193
1194
1195
- Some fixes for LDAP
  [ISC-Bugs #21783] - Include lber library when building ldap
  [ISC-Bugs #22888] - Enable the ldap code when buidling common
  The above fixes are from Jiri Popelka at Red Hat.
1196

1197
1198
- Modify the dlpi code to accept getmsg() returning a positive value.
  [ISC-Bugs #22824]
1199
1200
1201
1202
1203
1204

! In dhclient check the data for some string options for
  reasonableness before passing it along to the script that
  interfaces with the OS.
  [ISC-Bugs #23722]
  CVE: CVE-2011-0997
1205
1206
1207

- DHCPv6 server now responds properly if client asks for a prefix that
  is already assigned to a different client. [ISC-Bugs #23948]
1208
1209
1210
1211
1212
1213
1214
1215

- Add the option "--no-pid" to the client, relay and server code,
  to disable writing a pid file.  Add the option "-pf pidfile"
  to the relay to allow the user to supply the pidfile name at
  runtime.  Add the "with-relay6-pid-file" option to configure
  to allow the user to supply the pidfile name for the relay
  in v6 mode at configure time.
  [ISC-Bugs #23351] [ISC-Bugs #17541]
1216
1217
1218

- 'dhclient' no longer waits a random interval after first starting up to
  begin in the INIT state.  This conforms to RFC 2131, but elects not to
1219
  implement a 'SHOULD' direction in section 4.1. The goal of this change
1220
  is to start up faster. [ISC-Bugs #19660]
1221
1222
1223
1224

- Added 'initial-delay' parameter that specifies maximum amount of time
  before client goes to the INIT state. The default value is 0. In previous
  versions of the code client could wait up to 5 seconds. The old behavior
1225
  may be restored by using 'initial-delay 5;' in the client config file.
1226
  [ISC-Bugs #19660]
1227
1228
1229
1230
1231

- ICMP ping-check should now sit closer to precisely the number of seconds
  configured (or default 1), due to making use of the new microsecond
  scale timer internally to dhcpd.  This corrects a bug where the server
  may immediately timeout an ICMP ping-check if it was made late in the
1232
  current second. [ISC-Bugs #19660]
1233
1234
1235
1236
1237

- The DHCP client will schedule renewal and rebinding events in
  microseconds if the DHCP server provided a lease-time that would result
  in sub-1-second timers.  This corrects a bug where a 2-second or lower
  lease-time would cause the DHCP client to enter an infinite loop by
1238
  scheduling renewal at zero seconds. [ISC-Bugs #19660]
1239
1240
1241

- Client lease records are recorded at most once every 15 seconds.  This
  keeps the client from filling the lease database disk quickly on very small
1242
  lease times. [ISC-Bugs #19660]
1243
1244
1245
1246
1247

- To defend against RFC 2131 non-compliant DHCP servers which fail to
  advertise a lease-time (either mangled, or zero in value) the DHCP
  client now adds the server to the reject list ACL and returns to INIT
  state to hopefully find an RFC 2131 compliant server (or retry in INIT
1248
  forever). [ISC-Bugs #19660]
1249
1250
1251
1252
1253
1254
1255
1256

- Parameters configured to evaluate from user defined function calls can
  now be correctly written to dhcpd.leases (as on 'on events' or dynamic
  host records inserted via OMAPI).  [ISC-Bugs #22266]

- If a 'next-server' parameter is configured in a dynamic host record via
  OMAPI as a domain name, the syntax written to disk is now correctly parsed
  upon restart.  [ISC-Bugs #22266]