Internet Systems Consortium DHCP Distribution
- Version 4.4.0b1
- 09 January 2018
-
+ Version 4.4.3
+ 26 January 2022
Release Notes
NEW FEATURES
MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read the MPL 2.0
license terms.
-The areas of focus for ISC DHCP 4.4.0 were:
-
-1. Dynamic DNS additions
-2. dhclient improvements
-3. Support for dynamic shared libraries
-
-Dynamic DNS Improvements:
-
-- We added three new server configuration parameters which influence DDNS
- conflict resolution:
-
- 1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
- to mitigate issues with non-compliant clients in dual stack environments.
-
- 2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
- requirement of DNS conflict resolution.
-
- 3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to
- allow unguarded DNS entries to be overwritten in certain cases
-
-- The server now honors update-static-leases parameter for static DHCPv6
- hosts.
+NOTE: The client and relay components are reaching their End-Of-Life cycle.
+4.4.3 is the final release that features them.
-dhclient Improvements:
+While release 4.4.3 is primarily a maintenance release that addresses a number
+of issues, it does introduce a few of small new features:
- - We've added three command line parameters to dhclient:
+1. BIND libraries updated to the latest 9.11.36. This fixes a number of compilation
+ issues on various systems, including OpenWRT.
+ [gitlab #218, #171, #180, #192]
- 1. --prefix-len-hint - directs dhclient to use the given length as
- the prefix length hint when requesting prefixes
+2. Improve PRNG initialization. There is now a new configure flag --with-randomdev=PATH
+ that specifies the device to read the initial seed from. That is typically
+ /dev/random (the default value) or /dev/urandom, but may be other as preferred on
+ your system. If this option is enabled, dhclient will use the file as a seed. If
+ not, the earlier algorithm (get last 4 bytes of hardware addresses from all network
+ interfaces that have them, use current time and process ID).
- 2. --decline-wait-time - instructs the client to wait the given number
- of seconds after declining an IPv4 address before issuing a discover
+3. The IPv6-only preferred option, defined in RFC8925, is now supported.
+ [gitlab #132]
- 3. --address-prefix-len - specifies the prefix length passed by dhclient
- into the client script (via the environment variable ip6_prefixlen) with
- each IPv6 address. We added this parameter because we have changed the
- default value from 64 to 128 in order to be compliant with RFC3315bis
- draft (-09, page 64) and RFC5942, Section 4, point 1.
- **WARNING**: The new default value of 128 may not be backwardly compatible
- with your environment. If you are operating without a router, such as
- between VMs on a host, you may find they cannot see each with prefix
- length of 128. In such cases, you'll need to either provide routing or use
- the command line parameter to set the value to 64. Alternatively you may
- change the default at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN
- in includes/site.h.
+4. Compilation fixed for gcc-10.
+ [gitlab #117]
- - dhclient will now generate a DHCPv6 DECLINE message when the client script
- indicates a DAD failure
+5. Client fix: wrong argument to memcpy()
+ [gitlab #190]
-Dynamic shared library support:
-
- Configure script, configure.ac+lt, which supports libtool is now provided
- with the source tar ball. This script can be used to configure ISC DHCP
- to build with libtool and thus use dynamic shared libraries.
-
-Other Highlights:
-
- - The server now supports dhcp-cache-threshold for DHCPv6 operations
- - The server now supports DHPv6 address allocation based on EUI-64 DUIDs
- - Experimental support for alternate relay port in the both the server
- and relay for IPv4, IPv6 and 4o6 (see: draft-ietf-dhc-relay-port-10.txt)
+6. The server's limit on the size of lease file that can be loaded at start up
+ is now only enforced on 32-bit systems.
+ [gitlab #64]
For information on how to install, configure and run this software, as
well as how to find documentation and report bugs, please consult the
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).
+ Changes since 4.4.2 (New Features)
+
+- BIND9 version updated to latest 9.11.36. Thanks to Philip Prindeville
+ for testing on OpenWRT.
+ [Gitlab #218]
+
+- Added support of the new DHCPv4 option v6-only-preferred specified
+in RFC 8925. A new reason code, V6ONLY, was added to the client script
+and the client Linux script sample was updated.
+ [Gitlab #132]
+
+ Changes since 4.4.2 (Bug Fixes)
+
+- Minor corrections to allow compilation under gcc 10.
+ [Gitlab #117]
+
+- Corrected logic in dhclient that causes it to decline DHCPv4 leases if the
+ client script exits abnormally (i.e. crashes).
+ [Gitlab #123]
+
+- The limit on the size of lease file that can be loaded at start up
+ is now only enforced on 32-bit systems.
+ [Gitlab #92]
+
+- After a report about predictable seeding of transaction identifier
+ pseudo-random generation on systems where process identifiers are not
+ random the already existing --with-randomdev configure argument was
+ extended. Please remember its default is "/dev/random" which is not
+ convenient on all systems.
+ [Gitlab #197]
+
+- Minor dhclient code fix to remove compilation warnings.
+ [Gitlab #190]
+
+- Removed hard-coded MD5 algorithm name in OMAPI connection logic. Prior
+ to this using any other algorithm via key-algorithm statement would
+ allow OMAPI connections to made but subsequent actions such as updating
+ an object to fail.
+ [Gitlab #148]
+
+ Changes since 4.4.2b1 (Bug Fixes)
+
+- Added a clarification on DHCPINFORMs and server authority to
+ dhcpd.conf.5
+ [Gitlab #37]
+
+- Only emit lease scrubbing log messages when DEBUG_FAILOVER_MESSAGES
+ is defined.
+ [Gitlab #72]
+
+- Added the interface name to socket initialization failure log messages.
+ Prior to this the log messages stated only the error reason without
+ stating the target interface.
+ [Gitlab #75]
+
+- Corrected buffer pointer logic in dhcrelay functions that manipulate
+ agent relay options. Thanks to Thomas Imbert of MSRC Vulnerabilities
+ & Mitigations for reporting the issue.
+ [#71]
+
+- Corrected unresolved symbol errors building relay_unittests when
+ configured to build using libtool.
+ [#80]
+
+ Changes since 4.4.1 (New Features)
+
+- A new configuration parameter, ping-cltt-secs (v4 operation only), has
+ been added to allow the user to specify the number of seconds that must
+ elapse since CLTT before a ping check is conducted. Prior to this, the
+ value was hard coded at 60 seconds. Please see the server man pages for
+ a more detailed discussion.
+ [ISC-Bugs #36283]
+
+- A new configuration parameter, ping-timeout-ms (v4 operation only),
+ has been added that allows the user to specify the amount of time
+ the server waits for a ping-check response in milliseconds rather
+ than in seconds (via ping-timeout). When greater than zero, the value
+ of ping-timeout-ms will override the value of ping-timeout. Thanks
+ to Jay Doran from Bluecat Networks for suggesting this feature.
+ [Gitlab #10]
+
+- An experimental tool called, Keama (KEA Migration Assistant), which helps
+ translate ISC DHCP configurations to Kea configurations, is now included
+ in the distribution.
+ [Gitlab #34]
+
+ Changes since 4.4.1 (Bug Fixes)
+
+- Corrected a misuse of the BIND9 DDNS API which caused DDNS updates to be
+ carried out over TCP rather than UDP. The coding error was exposed by
+ migration to BIND9 9.11. Thanks to Jinmei Tatuya at Infoblox for
+ reporting the issue.
+ [ISC-Bugs #47757]
+
+- Bind9 now defaults to requiring python to build. The Makefile for
+ building Bind9 when bundled with ISC DHCP was modified to turn off
+ this dependency.
+ [Gitlab #3]
+
+- Corrected a dual-stack mixed-mode issue that occurs when both
+ ddns-guard-id-must-match and ddns-other-guard-is-dynamic
+ are enabled and that caused the server to incorrectly interpret
+ the presence of a guard record belonging to another client as
+ a case of no guard record at all. Thanks to Fernando Soto
+ from BlueCat Networks for reporting this issue.
+ [Gitlab #1]
+
+- Corrected a compilation issue that occurred when building without DNS
+ update ability (e.g. by undefining NSUPDATE).
+ [Gitlab #16]
+
+- Corrected an issue that was causing the server, when running in
+ DHPCv4 mode, to segfault when class lease limits are reached.
+ Thanks to Peter Nagy at Porion-Digital for reporting the matter
+ and submitting a patch.
+ [Gitlab #13]
+
+- Made minor changes to eliminate warnings when compiled with GCC 9.
+ Thanks to Brett Neumeier for bringing the matter to our attention.
+ [Gitlab #15]
+
+- Fixed potential memory leaks in parser error message generation
+ spotted by Coverity, CIDs: 1448191, 1448193, 1448194, 1448195
+ [Gitlab #30]
+
+- Updated URL of IEEE oui.txt in contrib/dhcp-lease-list.pl. Thanks
+ to Tommy Smith for contributing the patch.
+ [Gitlab #26]
+
+- Fixed define flags when using SO_BINDTODEVICE. Thanks to Joe LeVeque for
+ reporting the issue.
+ [GitLab #19]
+
+- Applied a patch from OpenBSD to always set the scope id of outbound
+ DHPCv6 packets. Note this change only applies when compiling under
+ OpenBSD. Thanks to Brad Smith at OpenBSD from bringing it to our
+ attention.
+ [Gitlab #33]
+
+- Modified dhclient to not discard config file leases that are
+ duplicates of server-provided leases and to retain such leases
+ after they have been used as the fallback active lease and
+ DHCP service has been restored. This allows them to be used
+ more than once during the lifetime of a dhclient instance.
+ This applies to DHCPv4 operation only.
+ [Gitlab #9]
+
+- Corrected a number of reference counter and zero-length buffer leaks.
+ Thanks to Christopher Ertl of MSRC Vulnerabilities & Mitigations for
+ pointing them out.
+ [Gitlab #57]
+
+- Closed a small window of time between the installation of graceful
+ shutdown signal handlers and application context startup, during which
+ the receipt of shutdown signal would cause a REQUIRE() assertion to
+ occur. Note this issue is only visible when compiling with
+ ENABLE_GENTLE_SHUTDOWN defined.
+ [Gitlab #53]
+
+- Corrected a buffer overflow that can occur when retrieving zone
+ names that are more than 255 characters in length.
+ [Gitlab #20]
+
+- The "d" domain name option format was incorrectly handled as text
+ instead of RFC 1035 wire format. Thanks to Jay Doran at BlueCat Networks
+ for reporting this issue.
+ [Gitlab #2]
+
+- Improved the error message issued when a host declaration has both
+ a uid and a dhcp-client-identifier. Server configuration parsing will
+ now fail if a host declaration specifies more than one uid.
+ [Gitlab #7]
+
+- Updated developer's documentation on building and running unit tests.
+ Removed support for --with-atf=bind as BIND9 no longer bundles in ATF
+ source.
+ [Gitlab #35]
+
+- Fixed a syntax error in ldap.c which cropped up under Ubuntu
+ 18.04.1/gcc 7.4.0. Thanks to Charles Hedrick for pointing it out.
+ [Gitlab #51]
+
+- Added clarification to dhcp-options.5 section on ip-address values
+ describing the first-use DNS resolution of options with hostnames as
+ values (e.g. next-server).
+ [Gitlab #28]
+
+- The option format for the server option omapi-key was changed to a
+ format type 'k' (key name); while server options ldap-port and
+ ldap-init-retry were changed to 'L' (unsigned 32-bit integer). These
+ three options were inadvertantly broken when the 'd' format content
+ was changed to comply with RFC 1035 wire format (see Gitlab #2).
+ [Gitlab #68]
+
+ Changes since 4.4.0 (New Features)
+- none
+ Changes since 4.4.0 (Bug Fixes)
+
+- A delayed-ack value of 0 (the default), now correctly disables the delayed
+ feature. A change in 4.4.0 prohibited lease updates marking leases active
+ from be written to the lease file when delayed-ack is 0. This in turn,
+ caused servers to lose active lease assignments upon restart.
+ [ISC-Bugs #47141]
+
+! Option reference count was not correctly decremented in error path
+ when parsing buffer for options. Reported by Felix Wilhelm, Google
+ Security Team.
+ [ISC-Bugs #47140]
+ CVE: CVE-2018-5733
+
+! Corrected an issue where large sized 'X/x' format options were causing
+ option handling logic to overwrite memory when expanding them to human
+ readable form. Reported by Felix Wilhelm, Google Security Team.
+ [ISC-Bugs #47139]
+ CVE: CVE-2018-5732
+
+- Added use of new Bind9 compatibility header files, that are now necessary
+ to supply type definitions for primitive data types, removed from Bind9
+ proper. Altered util/bind.sh to pull from Bind9 repo on gitlab.
+ [ISC-Bugs #48072]
+ [ISC-Bugs #48071]
+
+ Changes since 4.4.0b1 (New Features)
+
+- Duplicate address detection when binding to a new IPv6 address was added
+ to the following dhclient scripts: linux,freebsd,netbsd,openbsd, and macos.
+ The scripts will check for DAD errors after binding to a new IPv6 address
+ for at most --dad-wait-time seconds. If a DAD error is detected the script
+ will exit with a value of 3, instructing dhclient to decline the address. If
+ dad-wait-time is zero (the default), DAD error checking is not peformed.
+ [ISC-Bugs 46805]
+
+- Support for sending and receiving additional DHCP4 options has been added
+ to both the dhcpd and dhclient. Specifically: option codes 93,94, and 97
+ (RFC 4578); code 150 (RFC 5859); and codes 209,219, and 211 (RFC 5071).
+ Beyond configuring, sending, requesting, and receiving these options neither
+ server nor client apply any additional logic based on their values.
+ Thanks to Peter Lewis for requesting this change.
+ [ISC-Bugs 47062]
+
+ Changes since 4.4.0b1 (Bug Fixes)
+
+- Added clarifying text to dhcpd.conf.5 explaining the class match expressions
+ cannot rely on the results of executable statements.
+ [ISC-Bugs #45451]
+
+- Fixed a bug which causes dhcpd and dhclient to crash on certain
+ systems when given relative path names for lease or pid files on
+ the command line. Affected systems are those on which the C library
+ function, realpath() does not support a second parameter value of
+ NULL (see manpages for realpath(3)).
+ [ISC-Bugs #46957]
+
+- Fixed a build issue when building with embedded BIND9 under OpenBSD that
+ was causing BIND9 build to not generate dns/enumclass.h and dns/enumtype.h.
+ [ISC-Bugs #46971]
+
+- Added <dhcp>/m4/README to the distribution tarball. Some versions of
+ ac_local() treat the absence of the m4 subdirectory as error rather than
+ warning. This was causing the call to autoreconf, necessary for building
+ with libtool, to fail.
+ [ISC-Bugs #47075]
+
Changes since 4.4.0a1 (New Features)
- Added experimental support for relay port (draft-ietf-dhc-relay-port-10.txt)
unless DHCPv6 support was disabled. Additionally, the server man
pages were corrected to accurately reflect how the server chooses
file names (see lease-file-name and pid-file-name statements). Thanks
- to Fernando Soto at Bluecat for bringing this matter to our attention.
+ to Fernando Soto at Bluecat Networks for bringing this matter to our
+ attention.
[ISC-Bugs #46859]
- Removed an "Impossible condition" error upon exit in the dhcpd server that
when building with --enable-use-sockets and --enable-ipv4-pktinfo.
[ISC-Bugs #36118]
-- Corrected some minor coverity issues: CID 1426059, 1426058, and 1426057.
+- Corrected some minor Coverity issues: CID 1426059, 1426058, and 1426057.
[ISC-Bugs #46836]
- Added missing text to dhclient.8 and expanded release note coverage