4558. [bug] Synthesised CNAME before matching DNAME was still
being cached when it should have been. [RT #44318]
4557. [security] Combining dns64 and rpz can result in dereferencing
a NULL pointer (read). (CVE-2017-3135) [RT#44434]
4288. [bug] Fixed a regression in resolver.c:possibly_mark()
which caused known-bogus servers to be queried
anyway. [RT #41321]
4286. [security] render_ecs errors were mishandled when printing out
a OPT record resulting in a assertion failure.
(CVE-2015-8705) [RT #41397]
4285. [security] Specific APL data could trigger a INSIST.
(CVE-2015-8704) [RT #41396]
4170. [security] An incorrect boundary check in the OPENPGPKEY
rdatatype could trigger an assertion failure.
(CVE-2015-5986) [RT #40286]
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
Only the change to lib/dns/zone.c is security relevant
Upstream changelog:
--- 9.10.1-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
3383. [security] A certain combination of records in the RBT could
cause named to hang while populating the additional
section of a response. [RT #31090]
--- 9.9.1-P2 released ---
3346. [security] Bad-cache data could be used before it was
initialized, causing an assert. [RT #30025]
3345. [bug] Addressed race condition when removing the last item
or inserting the first item in an ISC_QUEUE.
[RT #29539]
3342. [bug] Change #3314 broke saving of stub zones to disk
resulting in excessive cpu usage in some cases.
[RT #29952]
Upstream changelog:
--- 9.8.0-P4 released ---
3124. [bug] Use an rdataset attribute flag to indicate
negative-cache records rather than using rrtype 0;
this will prevent problems when that rrtype is
used in actual DNS packets. [RT #24777]
--- 9.8.0-P3 released (withdrawn) ---
3126. [security] Using DNAME record to generate replacements caused
RPZ to exit with a assertion failure. [RT #23766]
3125. [security] Using wildcard CNAME records as a replacement with
RPZ caused named to exit with a assertion failure.
[RT #24715]
3123. [security] Change #2912 exposed a latent flaw in
dns_rdataset_totext() that could cause named to
crash with an assertion failure. [RT #24777]
3115. [bug] Named could fail to return requested data when
following a CNAME that points into the same zone.
[RT #2445]
christos