Internet Systems Consortium DHCP Distribution
- Version 4.4.2
- 22 January 2020
- Release Notes
+ Version 4.4.3
+ 9 March 2022
+ Release Notes
- NEW FEATURES
+ NEW FEATURES
-Please note that that ISC DHCP is now licensed under the Mozilla Public License,
-MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read the MPL 2.0
-license terms.
+Please note that that ISC DHCP is licensed under the Mozilla Public
+License, MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read
+the MPL 2.0 license terms.
-While release 4.4.2 is primarily a maintenance release that addresses a number
-of defects, it does introduce a few new features:
+NOTE: The client and relay components are now End-Of-Life.
+4.4.3 is the final release for those components.
-- Keama - Keama is a migration utility that assists in converting ISC DHCP
- server configuration files to Kea configuration files. It is found in the
- keama subdirectory and includes a README.md file with instructions on how
- to build it as well as a manpage on its usage.
-
-- Two new server parameters related to ping checking were added:
-
-1. ping-cltt-secs which allows the user to specify the number of seconds
- that must elapse since CLTT before a ping check is conducted.
-
-2. ping-timeout-ms which allows the user to specify the amount of time the
- server waits for a ping-check response in milliseconds rather than in
- seconds.
-
-In general, the areas of focus for ISC DHCP 4.4 were:
-
-1. Dynamic DNS additions
-2. dhclient improvements
-3. Support for dynamic shared libraries
-
-Dynamic DNS Improvements:
-
-- We added three new server configuration parameters which influence DDNS
- conflict resolution:
-
- 1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
- to mitigate issues with non-compliant clients in dual stack environments.
-
- 2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
- requirement of DNS conflict resolution.
-
- 3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to
- allow unguarded DNS entries to be overwritten in certain cases
-
-- The server now honors update-static-leases parameter for static DHCPv6
- hosts.
-
-dhclient Improvements:
-
- - We've added three command line parameters to dhclient:
-
- 1. --prefix-len-hint - directs dhclient to use the given length as
- the prefix length hint when requesting prefixes
-
- 2. --decline-wait-time - instructs the client to wait the given number
- of seconds after declining an IPv4 address before issuing a discover
-
- 3. --address-prefix-len - specifies the prefix length passed by dhclient
- into the client script (via the environment variable ip6_prefixlen) with
- each IPv6 address. We added this parameter because we have changed the
- default value from 64 to 128 in order to be compliant with RFC3315bis
- draft (-09, page 64) and RFC5942, Section 4, point 1.
- **WARNING**: The new default value of 128 may not be backwardly compatible
- with your environment. If you are operating without a router, such as
- between VMs on a host, you may find they cannot see each other with prefix
- length of 128. In such cases, you'll need to either provide routing or use
- the command line parameter to set the value to 64. Alternatively you may
- change the default at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN
- in includes/site.h.
-
- - dhclient will now generate a DHCPv6 DECLINE message when the client script
- indicates a DAD failure
-
-Dynamic shared library support:
-
- Configure script, configure.ac+lt, which supports libtool is now provided
- with the source tar ball. This script can be used to configure ISC DHCP
- to build with libtool and thus use dynamic shared libraries.
-
-Other Highlights:
-
- - The server now supports dhcp-cache-threshold for DHCPv6 operations
- - The server now supports DHPv6 address allocation based on EUI-64 DUIDs
- - Experimental support for alternate relay port in the both the server
- and relay for IPv4, IPv6 and 4o6 (see: draft-ietf-dhc-relay-port-10.txt)
-
-For information on how to install, configure and run this software, as
+For information on how to install, configure, and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
-ISC DHCP uses standard GNU configure for installation. Please review the
-output of "./configure --help" to see what options are available.
+ISC DHCP uses the standard GNU configure command for installation. Please review the
+output of `./configure --help` to see what options are available.
-The system has only been tested on Linux, FreeBSD, and Solaris, and may not
-work on other platforms. Please report any problems and suggested fixes to
-<dhcp-users@isc.org>.
+The system has only been tested on Linux and FreeBSD, and may not work on
+other platforms. Please subscribe to the dhcp-users mailing list at
+https://lists.isc.org/mailman/listinfo/dhcp-users and report any problems
+and/or suggested fixes to dhcp-users@lists.isc.org.
ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).
- Changes since 4.4.2 (New Features)
+ Changes since 4.4.3 (Bug Fixes)
-- BIND9 version updated to latest 9.11.36. Thanks to Philip Prindeville
- for testing on OpenWRT.
- [Gitlab #218]
+! Corrected a reference count leak that occurs when the server builds
+ responses to leasequery packets.
+ [Gitblab #253]
+ CVE: <TBD>
-- Added support of the new DHCPv4 option v6-only-preferred specified
-in RFC 8925. A new reason code, V6ONLY, was added to the client script
-and the client Linux script sample was updated.
- [Gitlab #132]
+ Changes since 4.4.2-P1 (New Features)
- Changes since 4.4.2 (Bug Fixes)
+- Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
+ and `dhcpctl_timed_wait_for_completion()`. These provide timed
+ versions of creating a connection and waiting for an operation
+ to complete.
+ [GitLab #76]
-- Minor corrections to allow compilation under gcc 10.
- [Gitlab #117]
+- The BIND libraries have been updated to the latest version, 9.11.36. This fixes a number
+ of compilation issues on various systems, including OpenWRT. Thanks to
+ Philip Prindeville for testing on OpenWRT.
+ [GitLab #218, #171, #180, #192]
-- Corrected logic in dhclient that causes it to decline DHCPv4 leases if the
- client script exits abnormally (i.e. crashes).
- [Gitlab #123]
+- Support was added for the new DHCPv4 option v6-only-preferred, specified
+ in RFC 8925. A new reason code, V6ONLY, was added to the client script
+ and the client Linux script sample was updated.
+ [GitLab #132]
-- The limit on the size of lease file that can be loaded at start up
- is now only enforced on 32-bit systems.
- [Gitlab #92]
+ Changes since 4.4.2-P1 (Bug Fixes)
+
+- Minor corrections were made to allow compilation under gcc 10.
+ [GitLab #117]
-- After a report about predictable seeding of transaction identifier
- pseudo-random generation on systems where process identifiers are not
- random the already existing --with-randomdev configure argument was
- extended. Please remember its default is "/dev/random" which is not
- convenient on all systems.
- [Gitlab #197]
+- The logic in dhclient that causes it to decline DHCPv4 leases if the
+ client script exits abnormally (i.e. crashes) has been corrected.
+ [GitLab #123]
-- Minor dhclient code fix to remove compilation warnings.
- [Gitlab #190]
+- The limit on the size of a lease file that can be loaded at startup
+ is now only enforced on 32-bit systems.
+ [GitLab #92]
+
+- The PRNG initialization has been improved. It now uses the configure flag
+ `--with-randomdev=PATH`, which specifies the device from which to read the
+ initial seed. That is typically `/dev/random` (the default value) or
+ `/dev/urandom`, but may be specified otherwise on the local system. The old
+ behavior can be forced by disabling this feature (`--with-randomdev=no`).
+ If the initialization is disabled or reading from the random device fails,
+ the previous algorithm (retrieve the last four bytes of hardware addresses
+ from all network interfaces that have them, and use the current time and
+ process ID) is used.
+ [GitLab #197]
+
+- A minor dhclient code fix was made to remove compilation warnings.
+ [GitLab #190]
+
+- The hard-coded MD5 algorithm name was removed in OMAPI connection logic.
+ Previously, using any other algorithm via a key-algorithm statement would
+ allow OMAPI connections to be made, but subsequent actions such as updating
+ an object would fail.
+ [GitLab #148]
+
+- The parallel build has been improved. Thanks to Sergei Trofimovich for
+ the patch. The parallel build is still experimental, as officially the
+ BIND 9 code does not support the parallel build for libraries.
+ [GitLab #91]
+
+- Handling of LDAP options (`ldap-gssapi-principal` and `ldap-gssapi-keytab`)
+ has been improved. This is contributed code that has not been tested by ISC. Thank
+ you to Petr Mensik and Pavel Zhukov for the patches!
+ [GitLab !56,!75]
+
+- It is now possible to use `option -g ipaddr` in the dhcrelay to replace the giaddr sent to
+ clients with the given ipaddr, to work around bogus clients like Solaris 11
+ grub which use giaddr instead of the announced router (3) to set up their
+ default route. Thanks to Jens Elkner for the patch!
+ [GitLab #223, !86, !92]
+
+ Changes since 4.4.2 (Bug Fixes)
-- Removed hard-coded MD5 algorithm name in OMAPI connection logic. Prior
- to this using any other algorithm via key-algorithm statement would
- allow OMAPI connections to made but subsequent actions such as updating
- an object to fail.
- [Gitlab #148]
+- Corrected a buffer overwrite possible when parsing hexadecimal
+ literals with more than 1024 octets.
+ [Gitlab #182]
+ CVE: CVE-2021-25217
Changes since 4.4.2b1 (Bug Fixes)
- Corrected buffer pointer logic in dhcrelay functions that manipulate
agent relay options. Thanks to Thomas Imbert of MSRC Vulnerabilities
& Mitigations for reporting the issue.
- [#71]
+ [Gitlab #71]
- Corrected unresolved symbol errors building relay_unittests when
configured to build using libtool.
- [#80]
+ [Gitlab #80]
Changes since 4.4.1 (New Features)
projects / thirdparty / dhcp.git / blobdiff