1*00b67f09SDavid van Moolenbroek<?xml version="1.0" encoding="utf-8"?> 2*00b67f09SDavid van Moolenbroek<!-- 3*00b67f09SDavid van Moolenbroek - Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC") 4*00b67f09SDavid van Moolenbroek - 5*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek - 9*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek--> 17*00b67f09SDavid van Moolenbroek 18*00b67f09SDavid van Moolenbroek<sect1 xmlns:xi="http://www.w3.org/2001/XInclude"> 19*00b67f09SDavid van Moolenbroek <xi:include href="noteversion.xml"/> 20*00b67f09SDavid van Moolenbroek <sect2 id="relnotes_intro"> 21*00b67f09SDavid van Moolenbroek <title>Introduction</title> 22*00b67f09SDavid van Moolenbroek <para> 23*00b67f09SDavid van Moolenbroek This document summarizes changes since BIND 9.10.2: 24*00b67f09SDavid van Moolenbroek </para> 25*00b67f09SDavid van Moolenbroek <para> 26*00b67f09SDavid van Moolenbroek BIND 9.10.2-P4 addresses security issues described in 27*00b67f09SDavid van Moolenbroek CVE-2015-5722 and CVE-2015-5986. 28*00b67f09SDavid van Moolenbroek </para> 29*00b67f09SDavid van Moolenbroek <para> 30*00b67f09SDavid van Moolenbroek BIND 9.10.2-P3 addresses a security issue described in 31*00b67f09SDavid van Moolenbroek CVE-2015-5477. 32*00b67f09SDavid van Moolenbroek </para> 33*00b67f09SDavid van Moolenbroek <para> 34*00b67f09SDavid van Moolenbroek BIND 9.10.2-P2 addresses a security issue described in 35*00b67f09SDavid van Moolenbroek CVE-2015-4620. 36*00b67f09SDavid van Moolenbroek </para> 37*00b67f09SDavid van Moolenbroek <para> 38*00b67f09SDavid van Moolenbroek BIND 9.10.2-P1 addressed several bugs that have been identified 39*00b67f09SDavid van Moolenbroek in the BIND 9.10 implementation of response-policy zones (RPZ). 40*00b67f09SDavid van Moolenbroek The bugs are in code which optimizes searching through multiple 41*00b67f09SDavid van Moolenbroek policy zones. In some cases, they can cause RPZ to behave 42*00b67f09SDavid van Moolenbroek inefficiently by searching for query matches in more policy 43*00b67f09SDavid van Moolenbroek zones than are strictly necessary, or to behave unpredictably 44*00b67f09SDavid van Moolenbroek by failing to search a policy zone that should have been 45*00b67f09SDavid van Moolenbroek searched. In the worst case, they can lead to assertion 46*00b67f09SDavid van Moolenbroek failures, terminating <command>named</command>. 47*00b67f09SDavid van Moolenbroek </para> 48*00b67f09SDavid van Moolenbroek </sect2> 49*00b67f09SDavid van Moolenbroek <sect2 id="relnotes_download"> 50*00b67f09SDavid van Moolenbroek <title>Download</title> 51*00b67f09SDavid van Moolenbroek <para> 52*00b67f09SDavid van Moolenbroek The latest versions of BIND 9 software can always be found at 53*00b67f09SDavid van Moolenbroek <ulink url="http://www.isc.org/downloads/" 54*00b67f09SDavid van Moolenbroek >http://www.isc.org/downloads/</ulink>. 55*00b67f09SDavid van Moolenbroek There you will find additional information about each release, 56*00b67f09SDavid van Moolenbroek source code, and pre-compiled versions for Microsoft Windows 57*00b67f09SDavid van Moolenbroek operating systems. 58*00b67f09SDavid van Moolenbroek </para> 59*00b67f09SDavid van Moolenbroek </sect2> 60*00b67f09SDavid van Moolenbroek <sect2 id="relnotes_security"> 61*00b67f09SDavid van Moolenbroek <title>Security Fixes</title> 62*00b67f09SDavid van Moolenbroek <itemizedlist> 63*00b67f09SDavid van Moolenbroek <listitem> 64*00b67f09SDavid van Moolenbroek <para> 65*00b67f09SDavid van Moolenbroek An incorrect boundary check in the OPENPGPKEY rdatatype 66*00b67f09SDavid van Moolenbroek could trigger an assertion failure. This flaw is disclosed 67*00b67f09SDavid van Moolenbroek in CVE-2015-5986. [RT #40286] 68*00b67f09SDavid van Moolenbroek </para> 69*00b67f09SDavid van Moolenbroek </listitem> 70*00b67f09SDavid van Moolenbroek <listitem> 71*00b67f09SDavid van Moolenbroek <para> 72*00b67f09SDavid van Moolenbroek A buffer accounting error could trigger an assertion failure 73*00b67f09SDavid van Moolenbroek when parsing certain malformed DNSSEC keys. 74*00b67f09SDavid van Moolenbroek </para> 75*00b67f09SDavid van Moolenbroek <para> 76*00b67f09SDavid van Moolenbroek This flaw was discovered by Hanno B쎶eck of the Fuzzing 77*00b67f09SDavid van Moolenbroek Project, and is disclosed in CVE-2015-5722. [RT #40212] 78*00b67f09SDavid van Moolenbroek </para> 79*00b67f09SDavid van Moolenbroek </listitem> 80*00b67f09SDavid van Moolenbroek <listitem> 81*00b67f09SDavid van Moolenbroek <para> 82*00b67f09SDavid van Moolenbroek A specially crafted query could trigger an assertion failure 83*00b67f09SDavid van Moolenbroek in message.c. 84*00b67f09SDavid van Moolenbroek </para> 85*00b67f09SDavid van Moolenbroek <para> 86*00b67f09SDavid van Moolenbroek This flaw was discovered by Jonathan Foote, and is disclosed 87*00b67f09SDavid van Moolenbroek in CVE-2015-5477. [RT #39795] 88*00b67f09SDavid van Moolenbroek </para> 89*00b67f09SDavid van Moolenbroek </listitem> 90*00b67f09SDavid van Moolenbroek <listitem> 91*00b67f09SDavid van Moolenbroek <para> 92*00b67f09SDavid van Moolenbroek On servers configured to perform DNSSEC validation, an 93*00b67f09SDavid van Moolenbroek assertion failure could be triggered on answers from 94*00b67f09SDavid van Moolenbroek a specially configured server. 95*00b67f09SDavid van Moolenbroek </para> 96*00b67f09SDavid van Moolenbroek <para> 97*00b67f09SDavid van Moolenbroek This flaw was discovered by Breno Silveira Soares, and is 98*00b67f09SDavid van Moolenbroek disclosed in CVE-2015-4620. [RT #39795] 99*00b67f09SDavid van Moolenbroek </para> 100*00b67f09SDavid van Moolenbroek </listitem> 101*00b67f09SDavid van Moolenbroek </itemizedlist> 102*00b67f09SDavid van Moolenbroek </sect2> 103*00b67f09SDavid van Moolenbroek <sect2 id="relnotes_features"> 104*00b67f09SDavid van Moolenbroek <title>New Features</title> 105*00b67f09SDavid van Moolenbroek <itemizedlist> 106*00b67f09SDavid van Moolenbroek <listitem> 107*00b67f09SDavid van Moolenbroek <para>None</para> 108*00b67f09SDavid van Moolenbroek </listitem> 109*00b67f09SDavid van Moolenbroek </itemizedlist> 110*00b67f09SDavid van Moolenbroek </sect2> 111*00b67f09SDavid van Moolenbroek <sect2 id="relnotes_changes"> 112*00b67f09SDavid van Moolenbroek <title>Feature Changes</title> 113*00b67f09SDavid van Moolenbroek <itemizedlist> 114*00b67f09SDavid van Moolenbroek <listitem> 115*00b67f09SDavid van Moolenbroek <para>None</para> 116*00b67f09SDavid van Moolenbroek </listitem> 117*00b67f09SDavid van Moolenbroek </itemizedlist> 118*00b67f09SDavid van Moolenbroek </sect2> 119*00b67f09SDavid van Moolenbroek <sect2 id="relnotes_bugs"> 120*00b67f09SDavid van Moolenbroek <title>Bug Fixes</title> 121*00b67f09SDavid van Moolenbroek <itemizedlist> 122*00b67f09SDavid van Moolenbroek <listitem> 123*00b67f09SDavid van Moolenbroek <para> 124*00b67f09SDavid van Moolenbroek Asynchronous zone loads were not handled correctly when the 125*00b67f09SDavid van Moolenbroek zone load was already in progress; this could trigger a crash 126*00b67f09SDavid van Moolenbroek in zt.c. [RT #37573] 127*00b67f09SDavid van Moolenbroek </para> 128*00b67f09SDavid van Moolenbroek </listitem> 129*00b67f09SDavid van Moolenbroek <listitem> 130*00b67f09SDavid van Moolenbroek <para> 131*00b67f09SDavid van Moolenbroek Several bugs have been fixed in the RPZ implementation: 132*00b67f09SDavid van Moolenbroek </para> 133*00b67f09SDavid van Moolenbroek <itemizedlist> 134*00b67f09SDavid van Moolenbroek <listitem> 135*00b67f09SDavid van Moolenbroek <para> 136*00b67f09SDavid van Moolenbroek Policy zones that did not specifically require recursion 137*00b67f09SDavid van Moolenbroek could be treated as if they did; consequently, setting 138*00b67f09SDavid van Moolenbroek <command>qname-wait-recurse no;</command> was 139*00b67f09SDavid van Moolenbroek sometimes ineffective. This has been corrected. 140*00b67f09SDavid van Moolenbroek In most configurations, behavioral changes due to this 141*00b67f09SDavid van Moolenbroek fix will not be noticeable. [RT #39229] 142*00b67f09SDavid van Moolenbroek </para> 143*00b67f09SDavid van Moolenbroek </listitem> 144*00b67f09SDavid van Moolenbroek <listitem> 145*00b67f09SDavid van Moolenbroek <para> 146*00b67f09SDavid van Moolenbroek The server could crash if policy zones were updated (e.g. 147*00b67f09SDavid van Moolenbroek via <command>rndc reload</command> or an incoming zone 148*00b67f09SDavid van Moolenbroek transfer) while RPZ processing was still ongoing for an 149*00b67f09SDavid van Moolenbroek active query. [RT #39415] 150*00b67f09SDavid van Moolenbroek </para> 151*00b67f09SDavid van Moolenbroek </listitem> 152*00b67f09SDavid van Moolenbroek <listitem> 153*00b67f09SDavid van Moolenbroek <para> 154*00b67f09SDavid van Moolenbroek On servers with one or more policy zones configured as 155*00b67f09SDavid van Moolenbroek slaves, if a policy zone updated during regular operation 156*00b67f09SDavid van Moolenbroek (rather than at startup) using a full zone reload, such as 157*00b67f09SDavid van Moolenbroek via AXFR, a bug could allow the RPZ summary data to fall out 158*00b67f09SDavid van Moolenbroek of sync, potentially leading to an assertion failure in 159*00b67f09SDavid van Moolenbroek rpz.c when further incremental updates were made to the 160*00b67f09SDavid van Moolenbroek zone, such as via IXFR. [RT #39567] 161*00b67f09SDavid van Moolenbroek </para> 162*00b67f09SDavid van Moolenbroek </listitem> 163*00b67f09SDavid van Moolenbroek <listitem> 164*00b67f09SDavid van Moolenbroek <para> 165*00b67f09SDavid van Moolenbroek The server could match a shorter prefix than what was 166*00b67f09SDavid van Moolenbroek available in CLIENT-IP policy triggers, and so, an 167*00b67f09SDavid van Moolenbroek unexpected action could be taken. This has been 168*00b67f09SDavid van Moolenbroek corrected. [RT #39481] 169*00b67f09SDavid van Moolenbroek </para> 170*00b67f09SDavid van Moolenbroek </listitem> 171*00b67f09SDavid van Moolenbroek <listitem> 172*00b67f09SDavid van Moolenbroek <para> 173*00b67f09SDavid van Moolenbroek The server could crash if a reload of an RPZ zone was 174*00b67f09SDavid van Moolenbroek initiated while another reload of the same zone was 175*00b67f09SDavid van Moolenbroek already in progress. [RT #39649] 176*00b67f09SDavid van Moolenbroek </para> 177*00b67f09SDavid van Moolenbroek </listitem> 178*00b67f09SDavid van Moolenbroek </itemizedlist> 179*00b67f09SDavid van Moolenbroek </listitem> 180*00b67f09SDavid van Moolenbroek </itemizedlist> 181*00b67f09SDavid van Moolenbroek </sect2> 182*00b67f09SDavid van Moolenbroek <sect2 id="end_of_life"> 183*00b67f09SDavid van Moolenbroek <title>End of Life</title> 184*00b67f09SDavid van Moolenbroek <para> 185*00b67f09SDavid van Moolenbroek The end of life for BIND 9.10 is yet to be determined but 186*00b67f09SDavid van Moolenbroek will not be before BIND 9.12.0 has been released for 6 months. 187*00b67f09SDavid van Moolenbroek <ulink url="https://www.isc.org/downloads/software-support-policy/" 188*00b67f09SDavid van Moolenbroek >https://www.isc.org/downloads/software-support-policy/</ulink> 189*00b67f09SDavid van Moolenbroek </para> 190*00b67f09SDavid van Moolenbroek </sect2> 191*00b67f09SDavid van Moolenbroek <sect2 id="relnotes_thanks"> 192*00b67f09SDavid van Moolenbroek <title>Thank You</title> 193*00b67f09SDavid van Moolenbroek <para> 194*00b67f09SDavid van Moolenbroek Thank you to everyone who assisted us in making this release possible. 195*00b67f09SDavid van Moolenbroek If you would like to contribute to ISC to assist us in continuing to 196*00b67f09SDavid van Moolenbroek make quality open source software, please visit our donations page at 197*00b67f09SDavid van Moolenbroek <ulink url="http://www.isc.org/donate/" 198*00b67f09SDavid van Moolenbroek >http://www.isc.org/donate/</ulink>. 199*00b67f09SDavid van Moolenbroek </para> 200*00b67f09SDavid van Moolenbroek </sect2> 201*00b67f09SDavid van Moolenbroek</sect1> 202