xref: /minix3/external/bsd/bind/dist/doc/arm/notes.xml (revision 00b67f09dd46474d133c95011a48590a8e8f94c7) 
1<?xml version="1.0" encoding="utf-8"?>
2<!--
3 - Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16-->
17
18<sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
19  <xi:include href="noteversion.xml"/>
20  <sect2 id="relnotes_intro">
21    <title>Introduction</title>
22    <para>
23      This document summarizes changes since BIND 9.10.2:
24    </para>
25    <para>
26      BIND 9.10.2-P4 addresses security issues described in
27      CVE-2015-5722 and CVE-2015-5986.
28    </para>
29    <para>
30      BIND 9.10.2-P3 addresses a security issue described in
31      CVE-2015-5477.
32    </para>
33    <para>
34      BIND 9.10.2-P2 addresses a security issue described in
35      CVE-2015-4620.
36    </para>
37    <para>
38      BIND 9.10.2-P1 addressed several bugs that have been identified
39      in the BIND 9.10 implementation of response-policy zones (RPZ).
40      The bugs are in code which optimizes searching through multiple
41      policy zones. In some cases, they can cause RPZ to behave
42      inefficiently by searching for query matches in more policy
43      zones than are strictly necessary, or to behave unpredictably
44      by failing to search a policy zone that should have been
45      searched.  In the worst case, they can lead to assertion
46      failures, terminating <command>named</command>.
47    </para>
48  </sect2>
49  <sect2 id="relnotes_download">
50    <title>Download</title>
51    <para>
52      The latest versions of BIND 9 software can always be found at
53      <ulink url="http://www.isc.org/downloads/"
54	>http://www.isc.org/downloads/</ulink>.
55      There you will find additional information about each release,
56      source code, and pre-compiled versions for Microsoft Windows
57      operating systems.
58    </para>
59  </sect2>
60  <sect2 id="relnotes_security">
61    <title>Security Fixes</title>
62    <itemizedlist>
63      <listitem>
64	<para>
65	  An incorrect boundary check in the OPENPGPKEY rdatatype
66	  could trigger an assertion failure. This flaw is disclosed
67	  in CVE-2015-5986. [RT #40286]
68	</para>
69      </listitem>
70      <listitem>
71	<para>
72	  A buffer accounting error could trigger an assertion failure
73	  when parsing certain malformed DNSSEC keys.
74	</para>
75	<para>
76	  This flaw was discovered by Hanno B&#xc3b6;eck of the Fuzzing
77	  Project, and is disclosed in CVE-2015-5722. [RT #40212]
78	</para>
79      </listitem>
80      <listitem>
81	<para>
82	  A specially crafted query could trigger an assertion failure
83	  in message.c.
84	</para>
85	<para>
86	  This flaw was discovered by Jonathan Foote, and is disclosed
87	  in CVE-2015-5477. [RT #39795]
88	</para>
89      </listitem>
90      <listitem>
91	<para>
92	  On servers configured to perform DNSSEC validation, an
93	  assertion failure could be triggered on answers from
94	  a specially configured server.
95	</para>
96	<para>
97	  This flaw was discovered by Breno Silveira Soares, and is
98	  disclosed in CVE-2015-4620. [RT #39795]
99	</para>
100      </listitem>
101    </itemizedlist>
102  </sect2>
103  <sect2 id="relnotes_features">
104    <title>New Features</title>
105    <itemizedlist>
106      <listitem>
107	<para>None</para>
108      </listitem>
109    </itemizedlist>
110  </sect2>
111  <sect2 id="relnotes_changes">
112    <title>Feature Changes</title>
113    <itemizedlist>
114      <listitem>
115	<para>None</para>
116      </listitem>
117    </itemizedlist>
118  </sect2>
119  <sect2 id="relnotes_bugs">
120    <title>Bug Fixes</title>
121    <itemizedlist>
122      <listitem>
123	<para>
124	  Asynchronous zone loads were not handled correctly when the
125	  zone load was already in progress; this could trigger a crash
126	  in zt.c. [RT #37573]
127	</para>
128      </listitem>
129      <listitem>
130	<para>
131	  Several bugs have been fixed in the RPZ implementation:
132	</para>
133	<itemizedlist>
134	  <listitem>
135	    <para>
136	      Policy zones that did not specifically require recursion
137	      could be treated as if they did; consequently, setting
138	      <command>qname-wait-recurse no;</command> was
139	      sometimes ineffective.  This has been corrected.
140	      In most configurations, behavioral changes due to this
141	      fix will not be noticeable. [RT #39229]
142	    </para>
143	  </listitem>
144	  <listitem>
145	    <para>
146	      The server could crash if policy zones were updated (e.g.
147	      via <command>rndc reload</command> or an incoming zone
148	      transfer) while RPZ processing was still ongoing for an
149	      active query. [RT #39415]
150	    </para>
151	  </listitem>
152	  <listitem>
153	    <para>
154	      On servers with one or more policy zones configured as
155	      slaves, if a policy zone updated during regular operation
156	      (rather than at startup) using a full zone reload, such as
157	      via AXFR, a bug could allow the RPZ summary data to fall out
158	      of sync, potentially leading to an assertion failure in
159	      rpz.c when further incremental updates were made to the
160	      zone, such as via IXFR. [RT #39567]
161	    </para>
162	  </listitem>
163	  <listitem>
164	    <para>
165	      The server could match a shorter prefix than what was
166	      available in CLIENT-IP policy triggers, and so, an
167	      unexpected action could be taken. This has been
168	      corrected. [RT #39481]
169	    </para>
170	  </listitem>
171	  <listitem>
172	    <para>
173	      The server could crash if a reload of an RPZ zone was
174	      initiated while another reload of the same zone was
175	      already in progress. [RT #39649]
176	    </para>
177	  </listitem>
178	</itemizedlist>
179      </listitem>
180    </itemizedlist>
181  </sect2>
182  <sect2 id="end_of_life">
183    <title>End of Life</title>
184    <para>
185      The end of life for BIND 9.10 is yet to be determined but
186      will not be before BIND 9.12.0 has been released for 6 months.
187      <ulink url="https://www.isc.org/downloads/software-support-policy/"
188	>https://www.isc.org/downloads/software-support-policy/</ulink>
189    </para>
190  </sect2>
191  <sect2 id="relnotes_thanks">
192    <title>Thank You</title>
193    <para>
194      Thank you to everyone who assisted us in making this release possible.
195      If you would like to contribute to ISC to assist us in continuing to
196      make quality open source software, please visit our donations page at
197      <ulink url="http://www.isc.org/donate/"
198	>http://www.isc.org/donate/</ulink>.
199    </para>
200  </sect2>
201</sect1>
202