Internet Systems Consortium DHCP Distribution
- Version 4.4.0b1
- 09 January 2018
+ Version 4.4.3-P1
+ ? ????? 2022
+ Release Notes
- Release Notes
+ NEW FEATURES
- NEW FEATURES
+Please note that that ISC DHCP is licensed under the Mozilla Public
+License, MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read
+the MPL 2.0 license terms.
-Please note that that ISC DHCP is now licensed under the Mozilla Public License,
-MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read the MPL 2.0
-license terms.
+NOTE: The client and relay components are now End-Of-Life.
+4.4.3 is the final release for those components.
-The areas of focus for ISC DHCP 4.4.0 were:
-
-1. Dynamic DNS additions
-2. dhclient improvements
-3. Support for dynamic shared libraries
-
-Dynamic DNS Improvements:
-
-- We added three new server configuration parameters which influence DDNS
- conflict resolution:
-
- 1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
- to mitigate issues with non-compliant clients in dual stack environments.
-
- 2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
- requirement of DNS conflict resolution.
-
- 3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to
- allow unguarded DNS entries to be overwritten in certain cases
-
-- The server now honors update-static-leases parameter for static DHCPv6
- hosts.
-
-dhclient Improvements:
-
- - We've added three command line parameters to dhclient:
-
- 1. --prefix-len-hint - directs dhclient to use the given length as
- the prefix length hint when requesting prefixes
-
- 2. --decline-wait-time - instructs the client to wait the given number
- of seconds after declining an IPv4 address before issuing a discover
-
- 3. --address-prefix-len - specifies the prefix length passed by dhclient
- into the client script (via the environment variable ip6_prefixlen) with
- each IPv6 address. We added this parameter because we have changed the
- default value from 64 to 128 in order to be compliant with RFC3315bis
- draft (-09, page 64) and RFC5942, Section 4, point 1.
- **WARNING**: The new default value of 128 may not be backwardly compatible
- with your environment. If you are operating without a router, such as
- between VMs on a host, you may find they cannot see each other with prefix
- length of 128. In such cases, you'll need to either provide routing or use
- the command line parameter to set the value to 64. Alternatively you may
- change the default at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN
- in includes/site.h.
-
- - dhclient will now generate a DHCPv6 DECLINE message when the client script
- indicates a DAD failure
-
-Dynamic shared library support:
-
- Configure script, configure.ac+lt, which supports libtool is now provided
- with the source tar ball. This script can be used to configure ISC DHCP
- to build with libtool and thus use dynamic shared libraries.
-
-Other Highlights:
-
- - The server now supports dhcp-cache-threshold for DHCPv6 operations
- - The server now supports DHPv6 address allocation based on EUI-64 DUIDs
- - Experimental support for alternate relay port in the both the server
- and relay for IPv4, IPv6 and 4o6 (see: draft-ietf-dhc-relay-port-10.txt)
-
-For information on how to install, configure and run this software, as
+For information on how to install, configure, and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
-ISC DHCP uses standard GNU configure for installation. Please review the
-output of "./configure --help" to see what options are available.
+ISC DHCP uses the standard GNU configure command for installation. Please review the
+output of `./configure --help` to see what options are available.
-The system has only been tested on Linux, FreeBSD, and Solaris, and may not
-work on other platforms. Please report any problems and suggested fixes to
-<dhcp-users@isc.org>.
+The system has only been tested on Linux and FreeBSD, and may not work on
+other platforms. Please subscribe to the dhcp-users mailing list at
+https://lists.isc.org/mailman/listinfo/dhcp-users and report any problems
+and/or suggested fixes to dhcp-users@lists.isc.org.
ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).
+ Changes since 4.4.3 (Bug Fixes)
+
+! Corrected a reference count leak that occurs when the server builds
+ responses to leasequery packets. Thanks to VictorV of Cyber Kunlun
+ Lab for reporting the issue.
+ [Gitblab #253]
+ CVE: CVS-2022-2928
+
+ Changes since 4.4.2-P1 (New Features)
+
+- Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
+ and `dhcpctl_timed_wait_for_completion()`. These provide timed
+ versions of creating a connection and waiting for an operation
+ to complete.
+ [GitLab #76]
+
+- The BIND libraries have been updated to the latest version, 9.11.36. This fixes a number
+ of compilation issues on various systems, including OpenWRT. Thanks to
+ Philip Prindeville for testing on OpenWRT.
+ [GitLab #218, #171, #180, #192]
+
+- Support was added for the new DHCPv4 option v6-only-preferred, specified
+ in RFC 8925. A new reason code, V6ONLY, was added to the client script
+ and the client Linux script sample was updated.
+ [GitLab #132]
+
+ Changes since 4.4.2-P1 (Bug Fixes)
+
+- Minor corrections were made to allow compilation under gcc 10.
+ [GitLab #117]
+
+- The logic in dhclient that causes it to decline DHCPv4 leases if the
+ client script exits abnormally (i.e. crashes) has been corrected.
+ [GitLab #123]
+
+- The limit on the size of a lease file that can be loaded at startup
+ is now only enforced on 32-bit systems.
+ [GitLab #92]
+
+- The PRNG initialization has been improved. It now uses the configure flag
+ `--with-randomdev=PATH`, which specifies the device from which to read the
+ initial seed. That is typically `/dev/random` (the default value) or
+ `/dev/urandom`, but may be specified otherwise on the local system. The old
+ behavior can be forced by disabling this feature (`--with-randomdev=no`).
+ If the initialization is disabled or reading from the random device fails,
+ the previous algorithm (retrieve the last four bytes of hardware addresses
+ from all network interfaces that have them, and use the current time and
+ process ID) is used.
+ [GitLab #197]
+
+- A minor dhclient code fix was made to remove compilation warnings.
+ [GitLab #190]
+
+- The hard-coded MD5 algorithm name was removed in OMAPI connection logic.
+ Previously, using any other algorithm via a key-algorithm statement would
+ allow OMAPI connections to be made, but subsequent actions such as updating
+ an object would fail.
+ [GitLab #148]
+
+- The parallel build has been improved. Thanks to Sergei Trofimovich for
+ the patch. The parallel build is still experimental, as officially the
+ BIND 9 code does not support the parallel build for libraries.
+ [GitLab #91]
+
+- Handling of LDAP options (`ldap-gssapi-principal` and `ldap-gssapi-keytab`)
+ has been improved. This is contributed code that has not been tested by ISC. Thank
+ you to Petr Mensik and Pavel Zhukov for the patches!
+ [GitLab !56,!75]
+
+- It is now possible to use `option -g ipaddr` in the dhcrelay to replace the giaddr sent to
+ clients with the given ipaddr, to work around bogus clients like Solaris 11
+ grub which use giaddr instead of the announced router (3) to set up their
+ default route. Thanks to Jens Elkner for the patch!
+ [GitLab #223, !86, !92]
+
+ Changes since 4.4.2 (Bug Fixes)
+
+- Corrected a buffer overwrite possible when parsing hexadecimal
+ literals with more than 1024 octets.
+ [Gitlab #182]
+ CVE: CVE-2021-25217
+
+ Changes since 4.4.2b1 (Bug Fixes)
+
+- Added a clarification on DHCPINFORMs and server authority to
+ dhcpd.conf.5
+ [Gitlab #37]
+
+- Only emit lease scrubbing log messages when DEBUG_FAILOVER_MESSAGES
+ is defined.
+ [Gitlab #72]
+
+- Added the interface name to socket initialization failure log messages.
+ Prior to this the log messages stated only the error reason without
+ stating the target interface.
+ [Gitlab #75]
+
+- Corrected buffer pointer logic in dhcrelay functions that manipulate
+ agent relay options. Thanks to Thomas Imbert of MSRC Vulnerabilities
+ & Mitigations for reporting the issue.
+ [Gitlab #71]
+
+- Corrected unresolved symbol errors building relay_unittests when
+ configured to build using libtool.
+ [Gitlab #80]
+
+ Changes since 4.4.1 (New Features)
+
+- A new configuration parameter, ping-cltt-secs (v4 operation only), has
+ been added to allow the user to specify the number of seconds that must
+ elapse since CLTT before a ping check is conducted. Prior to this, the
+ value was hard coded at 60 seconds. Please see the server man pages for
+ a more detailed discussion.
+ [ISC-Bugs #36283]
+
+- A new configuration parameter, ping-timeout-ms (v4 operation only),
+ has been added that allows the user to specify the amount of time
+ the server waits for a ping-check response in milliseconds rather
+ than in seconds (via ping-timeout). When greater than zero, the value
+ of ping-timeout-ms will override the value of ping-timeout. Thanks
+ to Jay Doran from Bluecat Networks for suggesting this feature.
+ [Gitlab #10]
+
+- An experimental tool called, Keama (KEA Migration Assistant), which helps
+ translate ISC DHCP configurations to Kea configurations, is now included
+ in the distribution.
+ [Gitlab #34]
+
+ Changes since 4.4.1 (Bug Fixes)
+
+- Corrected a misuse of the BIND9 DDNS API which caused DDNS updates to be
+ carried out over TCP rather than UDP. The coding error was exposed by
+ migration to BIND9 9.11. Thanks to Jinmei Tatuya at Infoblox for
+ reporting the issue.
+ [ISC-Bugs #47757]
+
+- Bind9 now defaults to requiring python to build. The Makefile for
+ building Bind9 when bundled with ISC DHCP was modified to turn off
+ this dependency.
+ [Gitlab #3]
+
+- Corrected a dual-stack mixed-mode issue that occurs when both
+ ddns-guard-id-must-match and ddns-other-guard-is-dynamic
+ are enabled and that caused the server to incorrectly interpret
+ the presence of a guard record belonging to another client as
+ a case of no guard record at all. Thanks to Fernando Soto
+ from BlueCat Networks for reporting this issue.
+ [Gitlab #1]
+
+- Corrected a compilation issue that occurred when building without DNS
+ update ability (e.g. by undefining NSUPDATE).
+ [Gitlab #16]
+
+- Corrected an issue that was causing the server, when running in
+ DHPCv4 mode, to segfault when class lease limits are reached.
+ Thanks to Peter Nagy at Porion-Digital for reporting the matter
+ and submitting a patch.
+ [Gitlab #13]
+
+- Made minor changes to eliminate warnings when compiled with GCC 9.
+ Thanks to Brett Neumeier for bringing the matter to our attention.
+ [Gitlab #15]
+
+- Fixed potential memory leaks in parser error message generation
+ spotted by Coverity, CIDs: 1448191, 1448193, 1448194, 1448195
+ [Gitlab #30]
+
+- Updated URL of IEEE oui.txt in contrib/dhcp-lease-list.pl. Thanks
+ to Tommy Smith for contributing the patch.
+ [Gitlab #26]
+
+- Fixed define flags when using SO_BINDTODEVICE. Thanks to Joe LeVeque for
+ reporting the issue.
+ [GitLab #19]
+
+- Applied a patch from OpenBSD to always set the scope id of outbound
+ DHPCv6 packets. Note this change only applies when compiling under
+ OpenBSD. Thanks to Brad Smith at OpenBSD from bringing it to our
+ attention.
+ [Gitlab #33]
+
+- Modified dhclient to not discard config file leases that are
+ duplicates of server-provided leases and to retain such leases
+ after they have been used as the fallback active lease and
+ DHCP service has been restored. This allows them to be used
+ more than once during the lifetime of a dhclient instance.
+ This applies to DHCPv4 operation only.
+ [Gitlab #9]
+
+- Corrected a number of reference counter and zero-length buffer leaks.
+ Thanks to Christopher Ertl of MSRC Vulnerabilities & Mitigations for
+ pointing them out.
+ [Gitlab #57]
+
+- Closed a small window of time between the installation of graceful
+ shutdown signal handlers and application context startup, during which
+ the receipt of shutdown signal would cause a REQUIRE() assertion to
+ occur. Note this issue is only visible when compiling with
+ ENABLE_GENTLE_SHUTDOWN defined.
+ [Gitlab #53]
+
+- Corrected a buffer overflow that can occur when retrieving zone
+ names that are more than 255 characters in length.
+ [Gitlab #20]
+
+- The "d" domain name option format was incorrectly handled as text
+ instead of RFC 1035 wire format. Thanks to Jay Doran at BlueCat Networks
+ for reporting this issue.
+ [Gitlab #2]
+
+- Improved the error message issued when a host declaration has both
+ a uid and a dhcp-client-identifier. Server configuration parsing will
+ now fail if a host declaration specifies more than one uid.
+ [Gitlab #7]
+
+- Updated developer's documentation on building and running unit tests.
+ Removed support for --with-atf=bind as BIND9 no longer bundles in ATF
+ source.
+ [Gitlab #35]
+
+- Fixed a syntax error in ldap.c which cropped up under Ubuntu
+ 18.04.1/gcc 7.4.0. Thanks to Charles Hedrick for pointing it out.
+ [Gitlab #51]
+
+- Added clarification to dhcp-options.5 section on ip-address values
+ describing the first-use DNS resolution of options with hostnames as
+ values (e.g. next-server).
+ [Gitlab #28]
+
+- The option format for the server option omapi-key was changed to a
+ format type 'k' (key name); while server options ldap-port and
+ ldap-init-retry were changed to 'L' (unsigned 32-bit integer). These
+ three options were inadvertantly broken when the 'd' format content
+ was changed to comply with RFC 1035 wire format (see Gitlab #2).
+ [Gitlab #68]
+
+ Changes since 4.4.0 (New Features)
+- none
+ Changes since 4.4.0 (Bug Fixes)
+
+- A delayed-ack value of 0 (the default), now correctly disables the delayed
+ feature. A change in 4.4.0 prohibited lease updates marking leases active
+ from be written to the lease file when delayed-ack is 0. This in turn,
+ caused servers to lose active lease assignments upon restart.
+ [ISC-Bugs #47141]
+
+! Option reference count was not correctly decremented in error path
+ when parsing buffer for options. Reported by Felix Wilhelm, Google
+ Security Team.
+ [ISC-Bugs #47140]
+ CVE: CVE-2018-5733
+
+! Corrected an issue where large sized 'X/x' format options were causing
+ option handling logic to overwrite memory when expanding them to human
+ readable form. Reported by Felix Wilhelm, Google Security Team.
+ [ISC-Bugs #47139]
+ CVE: CVE-2018-5732
+
+- Added use of new Bind9 compatibility header files, that are now necessary
+ to supply type definitions for primitive data types, removed from Bind9
+ proper. Altered util/bind.sh to pull from Bind9 repo on gitlab.
+ [ISC-Bugs #48072]
+ [ISC-Bugs #48071]
+
+ Changes since 4.4.0b1 (New Features)
+
+- Duplicate address detection when binding to a new IPv6 address was added
+ to the following dhclient scripts: linux,freebsd,netbsd,openbsd, and macos.
+ The scripts will check for DAD errors after binding to a new IPv6 address
+ for at most --dad-wait-time seconds. If a DAD error is detected the script
+ will exit with a value of 3, instructing dhclient to decline the address. If
+ dad-wait-time is zero (the default), DAD error checking is not peformed.
+ [ISC-Bugs 46805]
+
+- Support for sending and receiving additional DHCP4 options has been added
+ to both the dhcpd and dhclient. Specifically: option codes 93,94, and 97
+ (RFC 4578); code 150 (RFC 5859); and codes 209,219, and 211 (RFC 5071).
+ Beyond configuring, sending, requesting, and receiving these options neither
+ server nor client apply any additional logic based on their values.
+ Thanks to Peter Lewis for requesting this change.
+ [ISC-Bugs 47062]
+
+ Changes since 4.4.0b1 (Bug Fixes)
+
+- Added clarifying text to dhcpd.conf.5 explaining the class match expressions
+ cannot rely on the results of executable statements.
+ [ISC-Bugs #45451]
+
+- Fixed a bug which causes dhcpd and dhclient to crash on certain
+ systems when given relative path names for lease or pid files on
+ the command line. Affected systems are those on which the C library
+ function, realpath() does not support a second parameter value of
+ NULL (see manpages for realpath(3)).
+ [ISC-Bugs #46957]
+
+- Fixed a build issue when building with embedded BIND9 under OpenBSD that
+ was causing BIND9 build to not generate dns/enumclass.h and dns/enumtype.h.
+ [ISC-Bugs #46971]
+
+- Added <dhcp>/m4/README to the distribution tarball. Some versions of
+ ac_local() treat the absence of the m4 subdirectory as error rather than
+ warning. This was causing the call to autoreconf, necessary for building
+ with libtool, to fail.
+ [ISC-Bugs #47075]
+
Changes since 4.4.0a1 (New Features)
- Added experimental support for relay port (draft-ietf-dhc-relay-port-10.txt)