b2ff27eecd
--- 9.18.24 released --- 6343. [bug] Fix case insensitive setting for isc_ht hashtable. [GL #4568] --- 9.18.23 released --- 6322. [security] Specific DNS answers could cause a denial-of-service condition due to DNS validation taking a long time. (CVE-2023-50387) [GL #4424] 6321. [security] Change 6315 inadvertently introduced regressions that could cause named to crash. [GL #4234] 6320. [bug] Under some circumstances, the DoT code in client mode could process more than one message at a time when that was not expected. That has been fixed. [GL #4487] --- 9.18.22 released --- 6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning. [GL #4383] 6317. [security] Restore DNS64 state when handling a serve-stale timeout. (CVE-2023-5679) [GL #4334] 6316. [security] Specific queries could trigger an assertion check with nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] 6315. [security] Speed up parsing of DNS messages with many different names. (CVE-2023-4408) [GL #4234] 6314. [bug] Address race conditions in dns_tsigkey_find(). [GL #4182] 6312. [bug] Conversion from NSEC3 signed to NSEC signed could temporarily put the zone into a state where it was treated as unsigned until the NSEC chain was built. Additionally conversion from one set of NSEC3 parameters to another could also temporarily put the zone into a state where it was treated as unsigned until the new NSEC3 chain was built. [GL #1794] [GL #4495] 6310. [bug] Memory leak in zone.c:sign_zone. When named signed a zone it could leak dst_keys due to a misplaced 'continue'. [GL #4488] 6306. [func] Log more details about the cause of "not exact" errors. [GL #4500] 6304. [bug] The wrong time was being used to determine what RRSIGs where to be generated when dnssec-policy was in use. [GL #4494] 6302. [func] The "trust-anchor-telemetry" statement is no longer marked as experimental. This silences a relevant log message that was emitted even when the feature was explicitly disabled. [GL #4497] 6300. [bug] Fix statistics export to use full 64 bit signed numbers instead of truncating values to unsigned 32 bits. [GL #4467] 6299. [port] NetBSD has added 'hmac' to libc which collides with our use of 'hmac'. [GL #4478] --- 9.18.21 released --- 6297. [bug] Improve LRU cleaning behaviour. [GL #4448] 6296. [func] The "resolver-nonbackoff-tries" and "resolver-retry-interval" options are deprecated; a warning will be logged if they are used. [GL #4405] 6294. [bug] BIND might sometimes crash after startup or re-configuration when one 'tls' entry is used multiple times to connect to remote servers due to initialisation attempts from contexts of multiple threads. That has been fixed. [GL #4464] 6290. [bug] Dig +yaml will now report "no servers could be reached" also for UDP setup failure when no other servers or tries are left. [GL #1229] 6287. [bug] Recognize escapes when reading the public key from file. [GL !8502] 6286. [bug] Dig +yaml will now report "no servers could be reached" on TCP connection failure as well as for UDP timeouts. [GL #4396] 6282. [func] Deprecate AES-based DNS cookies. [GL #4421] --- 9.18.20 released --- 6280. [bug] Fix missing newlines in the output of "rndc nta -dump". [GL !8454] 6277. [bug] Take into account local authoritative zones when falling back to serve-stale. [GL #4355] 6275. [bug] Fix assertion failure when using lock-file configuration option together -X argument to named. [GL #4386] 6274. [bug] The 'lock-file' file was being removed when it shouldn't have been making it ineffective if named was started 3 or more times. [GL #4387] 6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381] 6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and 2801:1b8:10::b. [GL #4101] 6267. [func] The timeouts for resending zone refresh queries over UDP were lowered to enable named to more quickly determine that a primary is down. [GL #4260] 6265. [bug] Don't schedule resign operations on the raw version of an inline-signing zone. [GL #4350] 6261. [bug] Fix a possible assertion failure on an error path in resolver.c:fctx_query(), when using an uninitialized link. [GL #4331] 6254. [cleanup] Add semantic patch to do an explicit cast from char to unsigned char in ctype.h class of functions. [GL #4327] 6252. [test] Python system tests have to be executed by invoking pytest directly. Executing them with the legacy test runner is no longer supported. [GL #4250] 6250. [bug] The wrong covered value was being set by dns_ncache_current for RRSIG records in the returned rdataset structure. This resulted in TYPE0 being reported as the covered value of the RRSIG when dumping the cache contents. [GL #4314] --- 9.18.19 released --- 6246. [security] Fix use-after-free error in TLS DNS code when sending data. (CVE-2023-4236) [GL #4242] 6245. [security] Limit the amount of recursion that can be performed by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152] 6244. [bug] Adjust log levels on malformed messages to NOTICE when transferring in a zone. [GL #4290] 6241. [bug] Take into account the possibility of partial TLS writes in TLS DNS code. That helps to prevent DNS messages corruption on long DNS over TLS streams. [GL #4255] 6240. [bug] Use dedicated per-worker thread jemalloc memory arenas for send buffers allocation to reduce memory consumption and avoid lock contention. [GL #4038] 6239. [func] Deprecate the 'dnssec-must-be-secure' option. [GL #3700] 6237. [bug] Address memory leaks due to not clearing OpenSSL error stack. [GL #4159] 6235. [doc] Clarify BIND 9 time formats. [GL #4266] 6234. [bug] Restore stale-refresh-time value after flushing the cache. [GL #4278] 6232. [bug] Following the introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs update rules, removal of nonexistent PTR and SRV records via UPDATE could fail. [GL #4280] 6231. [func] Make nsupdate honor -v for SOA requests if the server is specified. [GL #1181] 6230. [bug] Prevent an unnecessary query restart if a synthesized CNAME target points to the CNAME owner. [GL #3835] 6227. [bug] Check the statistics-channel HTTP Content-length to prevent negative or overflowing values from causing a crash. [GL #4125] 6224. [bug] Check the If-Modified-Since value length to prevent out-of-bounds write. [GL #4124] --- 9.18.18 released --- 6220. [func] Deprecate the 'dialup' and 'heartbeat-interval' options. [GL #3700] 6219. [bug] Ignore 'max-zone-ttl' on 'dnssec-policy insecure'. [GL #4032] 6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API support is not configured. [GL #4225] 6213. [bug] Mark a primary server as temporarily unreachable if the TCP connection attempt times out. [GL #4215] 6212. [bug] Don't process detach and close netmgr events when the netmgr has been paused. [GL #4200] --- 9.18.17 released --- 6206. [bug] Add shutdown checks in dns_catz_dbupdate_callback() to avoid a race with dns_catz_shutdown_catzs(). [GL #4171] 6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs. [GL #4154] 6204. [bug] Use NS records for relaxed QNAME-minimization mode. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the referrals that are normally cached. [GL #3325] 6200. [bug] Fix nslookup erroneously reporting a timeout when the input is delayed. [GL #4044] 6199. [bug] Improve HTTP Connection: header protocol conformance in the statistics channel. [GL #4126] 6198. [func] Remove the holes in the isc_result_t enum to compact the isc_result tables. [GL #4149] 6197. [bug] Fix a data race between the dns_zone and dns_catz modules when registering/unregistering a database update notification callback for a catalog zone. [GL #4132] 6196. [cleanup] Report "permission denied" instead of "unexpected error" when trying to update a zone file on a read-only file system. Thanks to Midnight Veil. [GL #4134] 6193. [bug] Fix a catz db update notification callback registration logic error, which could crash named when receiving an AXFR update for a catalog zone while the previous update process of the catalog zone was already running. [GL #4136] 6166. [func] Retry without DNS COOKIE on FORMERR if it appears that the FORMERR was due to the presence of a DNS COOKIE option. [GL #4049] |
||
---|---|---|
crypto/dist/bind/lib | ||
dist | ||
external | ||
include | ||
lib/libc | ||
usr.sbin |