2019-08-07 - v2.9
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
* added configuration of airtime policy
* fixed FILS to and RSNE into (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* added support for regulatory WMM limitation (for ETSI)
* added support for MACsec Key Agreement using IEEE 802.1X/PSK
* added experimental support for EAP-TEAP server (RFC 7170)
* added experimental support for EAP-TLS server with TLS v1.3
* added support for two server certificates/keys (RSA/ECC)
* added AKMSuiteSelector into "STA <addr>" control interface data to
determine with AKM was used for an association
* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
fast reauthentication use to be disabled
* fixed an ECDH operation corner case with OpenSSL
2019-04-21 - v2.8
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only group 19
(i.e., disable groups 20, 21, 25, 26 from default configuration) and
disable all unsuitable groups completely based on REVmd changes
- improved anti-clogging token mechanism and SAE authentication
frame processing during heavy CPU load; this mitigates some issues
with potential DoS attacks trying to flood an AP with large number
of SAE messages
- added Finite Cyclic Group field in status code 77 responses
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494)
- fixed confirm message validation in error cases
[https://w1.fi/security/2019-3/] (CVE-2019-9496)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495)
- verify peer scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/]
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
* Hotspot 2.0 changes
- added support for release number 3
- reject release 2 or newer association without PMF
* added support for RSN operating channel validation
(CONFIG_OCV=y and configuration parameter ocv=1)
* added Multi-AP protocol support
* added FTM responder configuration
* fixed build with LibreSSL
* added FT/RRB workaround for short Ethernet frame padding
* fixed KEK2 derivation for FILS+FT
* added RSSI-based association rejection from OCE
* extended beacon reporting functionality
* VLAN changes
- allow local VLAN management with remote RADIUS authentication
- add WPA/WPA2 passphrase/PSK -based VLAN assignment
* OpenSSL: allow systemwide policies to be overridden
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* fixed FT and SA Query Action frame with AP-MLME-in-driver cases
* OWE: allow Diffie-Hellman Parameter element to be included with DPP
in preparation for DPP protocol extension
* RADIUS server: started to accept ERP keyName-NAI as user identity
automatically without matching EAP database entry
* fixed PTK rekeying with FILS and FT
ChangeLog for hostapd
2019-08-07 - v2.9
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
2019-04-21 - v2.8
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9499)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/]
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
the default still seems to be sloppy focus.
is this a bug? does ctwm use a different definition of sloppy focus to
the rest of the world? we may never know
- built-in regex is required only when ${USE_WIDECHAR} == "yes"
- -DUSE_WIDECHAR cpp flag should be determined by ${USE_WIDECHAR},
not ${USE_BUILTIN_REGEX}
- reduce .if -- .endif block for clarity
* package/debian/copyright, VERSION, package/byacc.spec, package/debian/changelog, package/mingw-byacc.spec, package/pkgsrc/Makefile:
bump
2021-01-05 Thomas E. Dickey <dickey@invisible-island.net>
* configure: regen
* aclocal.m4: resync with my-autoconf
2020-09-22 Thomas E. Dickey <dickey@invisible-island.net>
* closure.c, warshall.c:
fix undefined-behavior diagnosed with gcc -fsanitize=undefined (report by
Alexander Richardson)
2020-09-10 Thomas E. Dickey <dickey@invisible-island.net>
* LICENSE: RCS_BASE
* reader.c, output.c: cppcheck -- reduce scope
* defs.h: update to 2.0
* test/btyacc/btyacc_calc1.tab.c, test/btyacc/btyacc_demo.tab.c, test/btyacc/btyacc_destroy1.tab.c, test/btyacc/btyacc_destroy2.tab.c, test/btyacc/btyacc_destroy3.tab.c, test/btyacc/calc.tab.c, test/btyacc/calc1.tab.c, test/btyacc/calc2.tab.c, test/btyacc/calc3.tab.c, test/btyacc/calc_code_all.tab.c, test/btyacc/calc_code_default.tab.c, test/btyacc/calc_code_imports.tab.c, test/btyacc/calc_code_provides.tab.c, test/btyacc/calc_code_requires.tab.c, test/btyacc/calc_code_top.tab.c, test/btyacc/code_calc.code.c, test/btyacc/code_error.code.c, test/btyacc/defines1.calc.c, test/btyacc/defines2.calc.c, test/btyacc/defines3.calc.c, test/btyacc/empty.tab.c, test/btyacc/err_inherit1.tab.c, test/btyacc/err_inherit2.tab.c, test/btyacc/err_inherit3.tab.c, test/btyacc/err_inherit4.tab.c, test/btyacc/err_inherit5.tab.c, test/btyacc/err_syntax1.tab.c, test/btyacc/err_syntax10.tab.c, test/btyacc/err_syntax11.tab.c, test/btyacc/err_syntax12.tab.c, test/btyacc/err_syntax13.tab.c, test/btyacc/err_syntax14.tab.c, test/btyacc/err_syntax15.tab.c, test/btyacc/err_syntax16.tab.c, test/btyacc/err_syntax17.tab.c, test/btyacc/err_syntax18.tab.c, test/btyacc/err_syntax19.tab.c, test/btyacc/err_syntax2.tab.c, test/btyacc/err_syntax20.tab.c, test/btyacc/err_syntax21.tab.c, test/btyacc/err_syntax22.tab.c, test/btyacc/err_syntax23.tab.c, test/btyacc/err_syntax24.tab.c, test/btyacc/err_syntax25.tab.c, test/btyacc/err_syntax26.tab.c, test/btyacc/err_syntax27.tab.c, test/btyacc/err_syntax3.tab.c, test/btyacc/err_syntax4.tab.c, test/btyacc/err_syntax5.tab.c, test/btyacc/err_syntax6.tab.c, test/btyacc/err_syntax7.tab.c, test/btyacc/err_syntax7a.tab.c, test/btyacc/err_syntax7b.tab.c, test/btyacc/err_syntax8.tab.c, test/btyacc/err_syntax8a.tab.c, test/btyacc/err_syntax9.tab.c, test/btyacc/error.tab.c, test/btyacc/expr.oxout.tab.c, test/btyacc/grammar.tab.c, test/btyacc/inherit0.tab.c, test/btyacc/inherit1.tab.c, test/btyacc/inherit2.tab.c, test/btyacc/ok_syntax1.tab.c, test/btyacc/pure_calc.tab.c, test/btyacc/pure_error.tab.c, test/btyacc/quote_calc-s.tab.c, test/btyacc/quote_calc.tab.c, test/btyacc/quote_calc2-s.tab.c, test/btyacc/quote_calc2.tab.c, test/btyacc/quote_calc3-s.tab.c, test/btyacc/quote_calc3.tab.c, test/btyacc/quote_calc4-s.tab.c, test/btyacc/quote_calc4.tab.c, test/btyacc/rename_debug.c, test/btyacc/stdin1.calc.c, test/btyacc/stdin2.calc.c, test/btyacc/varsyntax_calc1.tab.c, test/yacc/calc.tab.c, test/yacc/calc1.tab.c, test/yacc/calc2.tab.c, test/yacc/calc3.tab.c, test/yacc/calc_code_all.tab.c, test/yacc/calc_code_default.tab.c, test/yacc/calc_code_imports.tab.c, test/yacc/calc_code_provides.tab.c, test/yacc/calc_code_requires.tab.c, test/yacc/calc_code_top.tab.c, test/yacc/code_calc.code.c, test/yacc/code_error.code.c, test/yacc/defines1.calc.c, test/yacc/defines2.calc.c, test/yacc/defines3.calc.c, test/yacc/empty.tab.c, test/yacc/err_syntax1.tab.c, test/yacc/err_syntax10.tab.c, test/yacc/err_syntax11.tab.c, test/yacc/err_syntax12.tab.c, test/yacc/err_syntax13.tab.c, test/yacc/err_syntax14.tab.c, test/yacc/err_syntax15.tab.c, test/yacc/err_syntax16.tab.c, test/yacc/err_syntax17.tab.c, test/yacc/err_syntax18.tab.c, test/yacc/err_syntax19.tab.c, test/yacc/err_syntax2.tab.c, test/yacc/err_syntax20.tab.c, test/yacc/err_syntax21.tab.c, test/yacc/err_syntax22.tab.c, test/yacc/err_syntax23.tab.c, test/yacc/err_syntax24.tab.c, test/yacc/err_syntax25.tab.c, test/yacc/err_syntax26.tab.c, test/yacc/err_syntax27.tab.c, test/yacc/err_syntax3.tab.c, test/yacc/err_syntax4.tab.c, test/yacc/err_syntax5.tab.c, test/yacc/err_syntax6.tab.c, test/yacc/err_syntax7.tab.c, test/yacc/err_syntax7a.tab.c, test/yacc/err_syntax7b.tab.c, test/yacc/err_syntax8.tab.c, test/yacc/err_syntax8a.tab.c, test/yacc/err_syntax9.tab.c, test/yacc/error.tab.c, test/yacc/expr.oxout.tab.c, test/yacc/grammar.tab.c, test/yacc/ok_syntax1.tab.c, test/yacc/pure_calc.tab.c, test/yacc/pure_error.tab.c, test/yacc/quote_calc-s.tab.c, test/yacc/quote_calc.tab.c, test/yacc/quote_calc2-s.tab.c, test/yacc/quote_calc2.tab.c, test/yacc/quote_calc3-s.tab.c, test/yacc/quote_calc3.tab.c, test/yacc/quote_calc4-s.tab.c, test/yacc/quote_calc4.tab.c, test/yacc/rename_debug.c, test/yacc/stdin1.calc.c, test/yacc/stdin2.calc.c, test/yacc/varsyntax_calc1.tab.c:
update to version 2.0
* reader.c:
improve loop which skips backward through a (possibly nested) sequence of
square-brackets.
* reader.c: simplify a check to quiet a bogus cppcheck-warning
* yacc.1: bump date
* reader.c: add a note about a bogus cppcheck warning
* configure: regen
* configure.in:
always check for gcc attributes, to work around defect in clang's imitation
of this feature
* reader.c: cppcheck -- scope reduction
cppcheck -- eliminate bogus returns after no-return functions
* verbose.c, output.c, mkpar.c, main.c, warshall.c, lr0.c, lalr.c, graph.c, closure.c:
cppcheck -- scope reduction
* package/debian/compat: quiet compatibility-warning
* yacc.1: use "ASCII" for dashes which are part of proper names
* configure: regen
* configure.in: switch to --enable-warnings, for consistency
* aclocal.m4:
resync with my-autoconf, for compiler-warning fixes with macOS
* VERSION, package/byacc.spec, package/debian/changelog, package/mingw-byacc.spec, package/pkgsrc/Makefile:
bump
2020-08-16 Thomas E. Dickey <dickey@invisible-island.net>
* config.guess, config.sub: 2020-08-17
2020-06-28 Thomas E. Dickey <dickey@invisible-island.net>
* config.sub: 2020/06/28
2020-06-14 Thomas E. Dickey <dickey@invisible-island.net>
* config.guess: 2020/04/26
2020-03-30 Thomas E. Dickey <dickey@invisible-island.net>
* package/debian/copyright: bump
* test/yacc/grammar.tab.c, test/btyacc/grammar.tab.c, test/grammar.y, reader.c:
typo found with codespell
* yacc.1: fixes noted in the original report, overlooked in followup
2020-03-30 Bjarni.Ingi.Gislason
* yacc.1: typography/spelling fixes - Debian #955175
2020-03-30 Thomas E. Dickey <dickey@invisible-island.net>
* VERSION, package/byacc.spec, package/debian/changelog, package/mingw-byacc.spec, package/pkgsrc/Makefile:
bump
2020-03-10 Thomas E. Dickey <dickey@invisible-island.net>
* configure: regen
* aclocal.m4:
resync with my-autoconf, mostly fixes for compiler-warnings
* configure.in: use macro to suppress X-dependency from newer macros
2019-12-20 Thomas E. Dickey <dickey@invisible-island.net>
* config.guess: 2019-12-21
2019-11-25 Tom.Shields
* main.c:
fix an inconsistency between the getopt and non-getopt configuration.
In the former, getopt always used "yacc", not the name of the executable.
2019-11-25 Thomas E. Dickey <dickey@invisible-island.net>
* test/run_make.sh:
suppress bison's -Wyacc warning, which is not useful.
* VERSION, package/byacc.spec, package/debian/changelog, package/mingw-byacc.spec, package/pkgsrc/Makefile:
bump
2019-11-19 Thomas E. Dickey <dickey@invisible-island.net>
* yacc.1: new version of manpage
* VERSION, package/byacc.spec, package/debian/changelog, package/mingw-byacc.spec, package/pkgsrc/Makefile:
bump
* yacc.1: document %code
* test/btyacc/calc_code_all.error, test/btyacc/calc_code_all.output, test/btyacc/calc_code_all.tab.c, test/btyacc/calc_code_all.tab.h, test/btyacc/calc_code_default.error, test/btyacc/calc_code_default.output, test/btyacc/calc_code_default.tab.c, test/btyacc/calc_code_default.tab.h, test/btyacc/calc_code_imports.error, test/btyacc/calc_code_imports.output, test/btyacc/calc_code_imports.tab.c, test/btyacc/calc_code_imports.tab.h, test/btyacc/calc_code_provides.error, test/btyacc/calc_code_provides.output, test/btyacc/calc_code_provides.tab.c, test/btyacc/calc_code_provides.tab.h, test/btyacc/calc_code_requires.error, test/btyacc/calc_code_requires.output, test/btyacc/calc_code_requires.tab.c, test/btyacc/calc_code_requires.tab.h, test/btyacc/calc_code_top.error, test/btyacc/calc_code_top.output, test/btyacc/calc_code_top.tab.c, test/btyacc/calc_code_top.tab.h, test/yacc/calc_code_all.tab.c, test/yacc/calc_code_all.tab.h, test/yacc/calc_code_default.tab.c, test/yacc/calc_code_provides.tab.c, test/yacc/calc_code_provides.tab.h, test/yacc/calc_code_requires.tab.c, test/yacc/calc_code_requires.tab.h, test/yacc/calc_code_top.tab.c:
RCS_BASE
* output.c:
amend updates for 'outline' when processing "%code" in code-file
* output.c:
modify output_code_lines() to show begin/end block comments which were in
reader.c, and to generate a #line for the code-file.
* reader.c:
modify copy_code() to allow for multiple %code directives for a given
section, recording the input line-number for each directive as a #line
in the resulting string. remove the block start/end comments, since those
will be done for a whole section in output.c
* mstring.c, defs.h: add msrenew()
* test/yacc/calc_code_all.error, test/yacc/calc_code_all.output, test/yacc/calc_code_default.error, test/yacc/calc_code_default.output, test/yacc/calc_code_default.tab.h, test/yacc/calc_code_imports.error, test/yacc/calc_code_imports.output, test/yacc/calc_code_imports.tab.c, test/yacc/calc_code_imports.tab.h, test/yacc/calc_code_provides.error, test/yacc/calc_code_provides.output, test/yacc/calc_code_requires.error, test/yacc/calc_code_requires.output, test/yacc/calc_code_top.error, test/yacc/calc_code_top.output, test/yacc/calc_code_top.tab.h:
RCS_BASE
2019-11-18 Thomas E. Dickey <dickey@invisible-island.net>
* test/calc_code_imports.y, test/calc_code_all.y, test/calc_code_default.y, test/calc_code_top.y, test/calc_code_provides.y, test/calc_code_requires.y:
RCS_BASE
2019-11-04 Michael.Forney
* defs.h: add missing "extern" for new variable "code_lines"
2019-11-03 Thomas E. Dickey <dickey@invisible-island.net>
* main.c: build-fix for MinGW cross-compiling
* output.c, reader.c: gcc-warnings
* output.c: check validity of text_file before rewind
remove redundant check of iflag
* main.c: fix memory-leak reported by clang
* mkpar.c: guard against a null-reference reported by clang (unlikely)
* reader.c: fix two coverity warnings:
a) resource leak on malloc-failure
b) possible null-pointer dereference on parse-error
* test/btyacc/err_inherit4.tab.h, test/btyacc/btyacc_demo.tab.h: regen
* defs.h: use enum's to simplify recent change
* mstring.c:
enable mstring() in regular byacc, since Zoulas' change relies upon it
2019-11-03 Christos.Zoulas
* defs.h, reader.c, output.c: add support for bison's "%code" feature
also fix a small bug: declare YYLTYPE externally when producing locations
2019-11-03 Thomas E. Dickey <dickey@invisible-island.net>
* test/btyacc/help.error, test/btyacc/no_b_opt.error, test/btyacc/no_output2.error, test/btyacc/no_p_opt.error, test/yacc/help.error, test/yacc/no_b_opt.error, test/yacc/no_output2.error, test/yacc/no_p_opt.error:
regen
* test/run_test.sh:
there's no standard wording for the options-errors from getopt;
filter that to "error message" in the test reference files.
* main.c:
provide for using getopt(), to accommodate a case where developers have
relied upon non-POSIX behavior.
* test/run_test.sh:
getopt's messages do not print the full pathname of yacc in some cases;
adjust the sed-script which changes those to "YACC"
* configure: regen
* config_h.in: regen, using autoheader-252
* configure.in: add configure check for getopt
* configure: regen
* aclocal.m4:
resync with my-autoconf adds a fix which accommodates a difference in
warning options between gcc/clang when --enable-warnings is not set.
* VERSION, package/byacc.spec, package/debian/changelog, package/mingw-byacc.spec, package/pkgsrc/Makefile:
bump
2019-09-11 Thomas E. Dickey <dickey@invisible-island.net>
* config.guess, config.sub: 2019-09-10
release builds done for cobalt and evbmips64-eb
Provide an __eprol symbol in TEXT_START_SYMBOLS. MIPS overrides
TEXT_START_SYMBOLS so it misses out on the default definition of
this that does provide an __eprol symbol. Fixes linking of profiled
binaries.
5578. [protocol] Make "check-names" accept A records below "_spf",
"_spf_rate", and "_spf_verify" labels in order to cater
for the "exists" SPF mechanism specified in RFC 7208
section 5.7 and appendix D.1. [GL #2377]
5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by
correctly implementing Equation (2) of the "Flexible and
Robust Key Rollover" paper. [GL #2375]
5575. [bug] When migrating to KASP, BIND 9 considered keys with the
"Inactive" and/or "Delete" timing metadata to be
possible active keys. This has been fixed. [GL #2406]
5572. [bug] Address potential double free in generatexml().
[GL #2420]
5571. [bug] named failed to start when its configuration included a
zone with a non-builtin "allow-update" ACL attached.
[GL #2413]
5570. [bug] Improve performance of the DNSSEC verification code by
reducing the number of repeated calls to
dns_dnssec_keyfromrdata(). [GL #2073]
5569. [bug] Emit useful error message when "rndc retransfer" is
applied to a zone of inappropriate type. [GL #2342]
5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
keys. [GL #2178]
5567. [bug] Dig now reports unknown dash options while pre-parsing
the options. This prevents "-multi" instead of "+multi"
from reporting memory usage before ending option parsing
with "Invalid option: -lti". [GL #2403]
5566. [func] Add "stale-answer-client-timeout" option, which is the
amount of time a recursive resolver waits before
attempting to answer the query using stale data from
cache. [GL #2247]
5565. [func] The SONAMEs for BIND 9 libraries now include the current
BIND 9 version number, in an effort to tightly couple
internal libraries with a specific release. [GL #2387]
5562. [security] Fix off-by-one bug in ISC SPNEGO implementation.
(CVE-2020-8625) [GL #2354]
5561. [bug] KASP incorrectly set signature validity to the value of
the DNSKEY signature validity. This is now fixed.
[GL #2383]
5560. [func] The default value of "max-stale-ttl" has been changed
from 12 hours to 1 day and the default value of
"stale-answer-ttl" has been changed from 1 second to 30
seconds, following RFC 8767 recommendations. [GL #2248]
5456. [func] Added "primaries" as a synonym for "masters" in
named.conf, and "primary-only" as a synonym for
"master-only" in the parameters to "notify", to bring
terminology up-to-date with RFC 8499. [GL #1948]
5362. [func] Limit the size of IXFR responses so that AXFR will
be used instead if it would be smaller. This is
controlled by the "max-ixfr-ratio" option, which
is a percentage representing the ratio of IXFR size
to the size of the entire zone. This value cannot
exceed 100%, which is the default. [GL #1515]
--- 9.16.11 released ---
5559. [bug] The --with-maxminddb=PATH form of the build-time option
enabling support for libmaxminddb was not working
correctly. This has been fixed. [GL #2366]
5557. [bug] Prevent RBTDB instances from being destroyed by multiple
threads at the same time. [GL #2317]
5556. [bug] Further tweak newline printing in dnssec-signzone and
dnssec-verify. [GL #2359]
5555. [bug] server->reload_status was not properly initialized.
[GL #2361]
5554. [bug] dnssec-signzone and dnssec-verify were missing newlines
between log messages. [GL #2359]
5553. [bug] When reconfiguring named, removing "auto-dnssec" did not
turn off DNSSEC maintenance. [GL #2341]
5552. [func] When switching to "dnssec-policy none;", named now
permits a safe transition to insecure mode and publishes
the CDS and CDNSKEY DELETE records, as described in RFC
8078. [GL #1750]
5551. [bug] named no longer attempts to assign threads to CPUs
outside the CPU affinity set. Thanks to Ole Bjørn
Hessen. [GL #2245]
5550. [func] dnssec-signzone and named now log a warning when falling
back to the "increment" SOA serial method. [GL #2058]
5545. [func] OS support for load-balanced sockets is no longer
required to receive incoming queries in multiple netmgr
threads. [GL #2137]
5543. [bug] Fix UDP performance issues caused by making netmgr
callbacks asynchronous-only. [GL #2320]
5542. [bug] Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
[GL #2321]
--- 9.16.10 released ---
5544. [func] Restore the default value of "nocookie-udp-size" to 4096
bytes. [GL #2250]
5541. [func] Adjust the "max-recursion-queries" default from 75 to
100. [GL #2305]
5540. [port] Fix building with native PKCS#11 support for AEP Keyper.
[GL #2315]
5539. [bug] Tighten handling of missing DNS COOKIE responses over
UDP by falling back to TCP. [GL #2275]
5538. [func] Add NSEC3 support to KASP. A new option for
"dnssec-policy", "nsec3param", can be used to set the
desired NSEC3 parameters. NSEC3 salt collisions are
automatically prevented during resalting. Salt
generation is now logged with zone context. [GL #1620]
5534. [bug] The CNAME synthesized from a DNAME was incorrectly
followed when the QTYPE was CNAME or ANY. [GL #2280]
--- 9.16.9 released ---
5533. [func] Add the "stale-refresh-time" option, a time window that
starts after a failed lookup, during which a stale RRset
is served directly from cache before a new attempt to
refresh it is made. [GL #2066]
5530. [bug] dnstap did not capture responses to forwarded UPDATE
requests. [GL #2252]
5527. [bug] A NULL pointer dereference occurred when creating an NTA
recheck query failed. [GL #2244]
5525. [bug] Change 5503 inadvertently broke cross-compilation by
replacing a call to AC_LINK_IFELSE() with a call to
AC_RUN_IFELSE() in configure.ac. This has been fixed,
making cross-compilation possible again. [GL #2237]
5523. [bug] The initial lookup in a zone transitioning to/from a
signed state could fail if the DNSKEY RRset was not
found. [GL #2236]
5522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
5520. [bug] Fixed a number of shutdown races, reference counting
errors, and spurious log messages that could occur
in the network manager. [GL #2221]
5518. [bug] Stub zones now work correctly with primary servers using
"minimal-responses yes". [GL #1736]
5517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
[GL #2208]
--- 9.16.8 released ---
5516. [func] The default EDNS buffer size has been changed from 4096
to 1232 bytes. [GL #2183]
5515. [func] Add 'rndc dnssec -rollover' command to trigger a manual
rollover for a specific key. [GL #1749]
5514. [bug] Fix KASP expected key size for Ed25519 and Ed448.
[GL #2171]
5513. [doc] The ARM section describing the "rrset-order" statement
was rewritten to make it unambiguous and up-to-date with
the source code. [GL #2139]
5512. [bug] "rrset-order" rules using "order none" were causing
named to crash despite named-checkconf treating them as
valid. [GL #2139]
5511. [bug] 'dig -u +yaml' failed to display timestamps to the
microsecond. [GL #2190]
5510. [bug] Implement the attach/detach semantics for dns_message_t
to fix a data race in accessing an already-destroyed
fctx->rmessage. [GL #2124]
5509. [bug] filter-aaaa: named crashed upon shutdown if it was in
the process of recursing for A RRsets. [GL #1040]
5508. [func] Added new parameter "-expired" for "rndc dumpdb" that
also prints expired RRsets (awaiting cleanup) to the
dump file. [GL #1870]
5507. [bug] Named could compute incorrect SIG(0) responses.
[GL #2109]
5506. [bug] Properly handle failed sysconf() calls, so we don't
report invalid memory size. [GL #2166]
5505. [bug] Updating contents of a mixed-case RPZ could cause some
rules to be ignored. [GL #2169]
5503. [bug] Cleaned up reference counting of network manager
handles, now using isc_nmhandle_attach() and _detach()
instead of _ref() and _unref(). [GL #2122]
--- 9.16.7 released ---
5501. [func] Log CDS/CDNSKEY publication. [GL #1748]
5500. [bug] Fix (non-)publication of CDS and CDNSKEY records.
[GL #2103]
5499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime.
[GL #1748]
5497. [bug] 'dig +bufsize=0' failed to disable EDNS. [GL #2054]
5496. [bug] Address a TSAN report by ensuring each rate limiter
object holds a reference to its task. [GL #2081]
5495. [bug] With query minimization enabled, named failed to
resolve ip6.arpa. names that had extra labels to the
left of the IPv6 part. [GL #1847]
5494. [bug] Silence the EPROTO syslog message on older systems.
[GL #1928]
5493. [bug] Fix off-by-one error when calculating new hash table
size. [GL #2104]
5492. [bug] Tighten LOC parsing to reject a period (".") and/or "m"
as a value. Fix handling of negative altitudes which are
not whole meters. [GL #2074]
5491. [bug] rbtversion->glue_table_size could be read without the
appropriate lock being held. [GL #2080]
5489. [bug] Named erroneously accepted certain invalid resource
records that were incorrectly processed after
subsequently being written to disk and loaded back, as
the wire format differed. Such records include: CERT,
IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
X25. [GL !3953]
5488. [bug] NTA code needed to have a weak reference on its
associated view to prevent the latter from being deleted
while NTA tests were being performed. [GL #2067]
5486. [func] Add 'rndc dnssec -checkds' command, which signals to
named that the DS record for a given zone or key has
been updated in the parent zone. [GL #1613]
--- 9.16.6 released ---
5484. [func] Expire zero TTL records quickly rather than using them
for stale answers. [GL #1829]
5483. [func] A new configuration option "stale-cache-enable" has been
introduced to enable or disable keeping stale answers in
cache. [GL #1712]
5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
not yet finished after adding a new IPv6 address to the
system, BIND 9 would fail to bind to IPv6 addresses in a
tentative state. [GL #2038]
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
5479. [security] named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled. (CVE-2020-8621) [GL #1997]
5478. [security] It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message.
(CVE-2020-8620) [GL #1996]
5477. [bug] The idle timeout for connected TCP sockets, which was
previously set to a high fixed value, is now derived
from the client query processing timeout configured for
a resolver. [GL #2024]
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
overridden by other rules that were loaded from RPZ
zones which appeared later in the "response-policy"
statement. This has been fixed. [GL #1619]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
5473. [func] The RBT hash table implementation has been changed
to use a faster hash function (HalfSipHash2-4) and
Fibonacci hashing for better distribution. Setting
"max-cache-size" now preallocates a fixed-size hash
table so that rehashing does not cause resolution
brownouts while the hash table is grown. [GL #1775]
5471. [bug] The introduction of KASP support inadvertently caused
the second field of "sig-validity-interval" to always be
calculated in hours, even in cases when it should have
been calculated in days. This has been fixed. (Thanks to
Tony Finch.) [GL !3735]
5469. [port] On illumos, a constant called SEC is already defined in
<sys/time.h>, which conflicts with an identically named
constant in libbind9. This conflict has been resolved.
[GL #1993]
5468. [bug] Addressed potential double unlock in process_fd().
[GL #2005]
5466. [bug] Addressed an error in recursive clients stats reporting.
[GL #1719]
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
or trusted-keys if the bindkeys-file (bind.keys) cannot
be parsed. [GL #1235]
5464. [bug] Requesting more than 128 files to be saved when rolling
dnstap log files caused a buffer overflow. This has been
fixed. [GL #1989]
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
5461. [bug] The STALE rdataset header attribute was updated while
the write lock was not being held, leading to incorrect
statistics. The header attributes are now converted to
use atomic operations. [GL #1475]
TEXT_START_SYMBOLS so it misses out on the default definition of
this that does provide an __eprol symbol. Fixes linking of profiled
binaries.
OK: christos@
Prevents null pointer dereferences when ZFS replaces this
illegal (according to IS_EPHEMERAL()) id with another
illegal id in operation zfs_fuid_create_cred() and
finally zfs_log_create() dereferences fuidp being NULL.
Adresses PR misc/55042 (Panic when creating a directory on a NFS served ZFS)
Do it properly and only enable thread-safety, but not the worker thread
support. The latter is what requires the whole libpthread dependency.
A potential compromis would be to use a weak pthread_create and only
enable worker threads if it is provided, but given that it is only
really used for large sorts, don't bother for now.
While here stop caring about RTM_LOSING as that's purely informational.
If routing does change then we get RTM_ADD/DEL/CHANGE.
Also stop caring about RTM_IFANNOUNCE as we really only want addresses
and interface flag updates which we get by RTM_NEWADDR/DELADDR/CHGADDR and
RTM_IFINFO.
jkoshy