Internet Systems Consortium DHCP Distribution
- Version 4.3.0
+ Version 4.3.1-pre-beta
3 February 2014
Release Notes
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).
+ Changes since 4.3.1
+
+
+ Changes since 4.3.0rc1
+
+- None
+ Changes since 4.3.0b1
+
+- Tidy up receive packet processing.
+ Thanks to Brad Plank of GTA for reporting the issue and suggesting
+ a possible patch.
+ [ISC-Bugs #34447]
+
+ Changes since 4.3.0a1
+
+- Modify the message displayed when a process hits a fatal error.
+ The new message is much shorter and simply points to the README
+ and our website for directions on bug submissions.
+ [ISC-Bugs #24789]
+
+- Handle an absent resolv.conf file better.
+ [ISC-Bugs #35194]
+
Changes since 4.2.0 (new features)
- If a client renews before 'dhcp-cache-threshold' percent of its lease
[ISC-Bugs #29268]
[ISC-Bugs #35198]
- Changes since 4.3.0rc1
-
-- None
- Changes since 4.3.0b1
+ Changes since 4.2.0 (bug fixes)
-- Tidy up receive packet processing.
- Thanks to Brad Plank of GTA for reporting the issue and suggesting
- a possible patch.
- [ISC-Bugs #34447]
+- When using 'ignore client-updates;', the FQDN returned to the client
+ is no longer truncated to one octet.
- Changes since 4.3.0a1
+- Cleaned up an unused hardware address variable in nak_lease().
-- Modify the message displayed when a process hits a fatal error.
- The new message is much shorter and simply points to the README
- and our website for directions on bug submissions.
- [ISC-Bugs #24789]
+- Manpage entries for the ia-pd and ia-prefix options were updated to
+ reflect support for prefix delegation.
-- Handle an absent resolv.conf file better.
- [ISC-Bugs #35194]
+- Cleaned up some compiler warnings
- Changes since 4.2.5
+- An optimization described in the failover protocol draft is now included,
+ which permits a DHCP server operating in communications-interrupted state
+ to 'rewind' a lease to the state most recently transmitted to its peer,
+ greatly increasing a server's endurance in communications-interrupted.
+ This is supported using a new 'rewind state' record on the dhcpd.leases
+ entry for each lease.
-- Address static analysis warnings.
- [ISC-Bugs #33510] [ISC-Bugs #33511]
+- Fix the trace code which was broken by the changes to the DDNS code.
-- Silence benign static analysis warnings.
- [ISC-Bugs #33428]
+- Update the fsync code to work with the changes to the DDNS code. It now
+ uses a timer instead of noticing if there are no more packets to process.
-- Add check for 64-bit package for atf.
- [ISC-Bugs #32206]
+- When constructing the DNS name structure from a text string append
+ the root to relative names. This satisfies a requirement in the DNS
+ library that names be absolute instead of relative and prevents DHCP
+ from crashing. [ISC-Bugs #21054]
-- Use newer auto* tool packages and turn on RFC_3542 support on Mac OS.
- [ISC-Bugs #26303]
+- "The LDAP Patch" that has been circulating for some time, written by
+ Brian Masney and S.Kalyanasundraram and maintained for application to
+ the DHCP-4 sources by David Cantrell has been included. Please be
+ advised that these sources were contributed, and do not yet meet the
+ high standards we place on production sources we include by default.
+ As a result, the LDAP features are only included by using a compile-time
+ option which defaults off, and if you enable it you do so under your
+ own recognizance. We will be improving this software over time.
+ [ISC-Bugs #17741]
-- Remove a variable when it isn't being used due to #ifdefs to avoid
- a compiler warning on Solaris using GCC.
- [ISC-Bugs #33032]
+- Prohibit including lease time information in a response to a DHCP INFORM.
+ [ISC-Bugs #21092]
-- Add a check for too much whitespace in a config or lease file.
- Thanks to Paolo Pellegrino for finding the issue and a suggestion
- for the patch.
- [ISC-Bugs #33351]
+! Accept a client id of length 0 while hashing. Previously the server would
+ exit if it attempted to hash a zero length client id, providing attackers
+ with a simple denial of service attack. [ISC-Bugs #21253]
+ CERT: VU#541921 - CVE: CVE-2010-2156
-- Fix several problems with using OMAPI to manipulate class and subclass
- objects.
- [ISC-Bugs #27452]
+- A memory leak in ddns processing was closed. [ISC-Bugs #21377]
-- Added a sleep call after killing the old client to allow time
- for the sockets to be cleaned. This should allow the -r option
- to work more consistently.
- [ISC-Bugs #18175]
+- Modify the exception handling for initial context creation. Previously
+ we would try and clean up before exiting. This could present problems
+ when the cleanup required part of the context that wasn't available. It
+ also didn't do much as we exited afterwards anyway. Now we simply log
+ the error and exit. [ISC-Bugs #21093]
-- Missing files for ISC DHCP Developer's Guide are now included in
- the release tarballs. To generate this documentation, please use
- make devel command in doc directory. [ISC-Bugs #32767]
+- A bug was fixed that could cause the DHCPv6 server to advertise/assign a
+ previously allocated (active) lease to a client that has changed subnets,
+ despite being on different shared networks. Dynamic prefixes specifically
+ allocated in shared networks also now are not offered if the client has
+ moved. [ISC-Bugs #21152]
-- Update client script for use with openwrt.
- [ISC-Bugs #29843]
+- Add some debugging output for use with the DDNS code. [ISC-Bugs #20916]
-- Fix the socket handling for DHCPv6 clients to allow multiple instances
- of a client on a single machine to work properly. Previously only
- one client would receive the packets. Thanks to Jiri Popelka at Red Hat
- for the bug report and a potential patch.
- [ISC-Bugs #34784]
+- Fix the trace code to handle timing events better and to truncate a file
+ before using instead of overwriting it. [ISC-Bugs #20969]
-- Added support for gentle shutdown after signal is received.
- [ISC-Bugs #32692] [ISC-Bugs 34945]
+- Modify the determination of the default TTL to use for DDNS updates.
+ The user may still configure the ttl via ddns-ttl. The default for
+ both v4 and v6 is now 1/2 the (preferred) lease time with a limit. The
+ previous defaults (1/2 lease time without a limit for v4 and a default
+ value for v6) may be used by defining USE_OLD_DDNS_TTL in site.h
+ [ISC-Bugs #21126]
-- Enhance the DHCPv6 server logging to include the addresses that are assigned
- to the clients.
- [ISC-Bugs #26377]
+- libisc/libdns is now brought up to version 9.7.1rc1. This corrects
+ three reported flaws in ISC DHCP;
-- Fix an operation in the DDNS code to be a bitwise instead of logical or.
- [ISC-Bugs #35138]
+ o DHCP processes (dhcpd, dhclient) fail to start if one of either the
+ IPv4 or IPv6 address families is not present. [ISC-Bugs #21122]
- Changes since 4.2.4
+ o Assertion failure when attempting to cancel a previously running DDNS
+ update. [ISC-Bugs #21133]
-- Correct code to calculate timing values in client to compare
- rebind value to infinity instead of renew value.
- Thanks to Chenda Huang from H3C Technologies Co., Limited
- for reporting this issue.
- [ISC-Bugs #29062]
+ o Compilation failure of libisc/libdns due to the use of a flexible
+ array member. [ISC-Bugs #21316]
-- Fix some issues in the code for parsing and printing options.
- [ISC-Bugs #22625] - properly print options that have several fields
- followed by an array of something for example "fIa"
- [ISC-Bugs #27289] - properly parse options in declarations that have
- several fields followed by an array of something for example "fIa"
- [ISC-Bugs #27296] - properly determine if we parsed a 16 or 32 bit
- value in evaluate_numeric_expression (extract-int).
- [ISC-Bugs #27314] - properly parse a zero length option from
- a lease file. Thanks to Marius Tomaschewski from SUSE for the report
- and prototype patch for this ticket as well as ticket 27289.
+- Add declaration for variable in debug code in alloc.c. [ISC-Bugs #21472]
-! Previously the server code was relaxed to allow packets with zero
- length client ids to be processed. Under some situations use of
- zero length client ids can cause the server to go into an infinite
- loop. As such ids are not valid according to RFC 2132 section 9.14
- the server no longer accepts them. Client ids with a length of 1
- are also invalid but the server still accepts them in order to
- minimize disruption. The restriction will likely be tightened in
- the future to disallow ids with a length of 1.
- Thanks to Markus Hietava of Codenomicon CROSS project for the
- finding this issue and CERT-FI for vulnerability coordination.
- [ISC-Bugs #29851]
- CVE: CVE-2012-3571
+- Documentation cleanup covering multiple tickets
+ [ISC-Bugs #20265] [ISC-Bugs #20259] minor cleanup
+ [ISC-Bugs #20263] add text describing some default values
+ [ISC-Bugs #20193] single quotes at the start of a line indicate a control
+ line to nroff, escape them if we actually want a quote.
+ [ISC-Bugs #18916] sync the pointer to web pages amongst the different docs
-! When attempting to convert a DUID from a client id option
- into a hardware address handle unexpected client ids properly.
- Thanks to Markus Hietava of Codenomicon CROSS project for the
- finding this issue and CERT-FI for vulnerability coordination.
- [ISC-Bugs #29852]
- CVE: CVE-2012-3570
+- 'get-host-names true;' now also works even if 'use-host-decl-names true;'
+ was also configured. The nature of this repair also fixes another
+ error; the host-name supplied by a client is no longer overridden by a
+ reverse lookup of the lease address. Thanks to a patch from Wilco Baan
+ Hofman supplied to us by the Debian package maintenance team.
+ [ISC-Bugs #21691] {Debian Bug#509445}
-! A pair of memory leaks were found and fixed. Thanks to
- Glen Eustace of Massey University, New Zealand for finding
- this issue.
- [ISC-Bugs #30024]
- CVE: CVE-2012-3954
+- The .TH tag for the dhcp-options manpage was typo repaired
+ thanks to a report from jidanni and the Debian package maintenance
+ team. [ISC-Bugs #21676] {Debian Bug#563613}
-- Existing legacy unit-tests have been migrated to Automated Test
- Framework (ATF). Several new tests have been developed. To enable
- unit-tests, please use --with-atf in configure script. A Developer's
- Guide has been added. To generate it, please use make devel in
- the doc directory. It is currently in early stages of development,
- but is expected to grow in the near future. [ISC-Bugs 25901]
+- More documentation changes - primarily to put the options in the dhclient
+ and dhcpd man pages into the standard form. Thanks in part to a patch
+ from David Cantrell at Red Hat.
+ [ISC-Bugs #20264] and parts of [ISC-Bugs #17744] dhclient.8 changes
-! An issue with the use of lease times was found and fixed. Making
- certain changes to the end time of an IPv6 lease could cause the
- server to abort. Thanks to Glen Eustace of Massey University,
- New Zealand for finding this issue.
- [ISC-Bugs #30281]
- CVE: CVE-2012-3955
+- Add code to clear the pointer to an object in an OMAPI handle when the
+ object is freed due to a dereference. [ISC-Bugs #21306]
-- Update the memory leakage debug code to work with v6.
- [ISC-Bugs #30297]
+- Fixed a bug that leaks host record references onto lease structures,
+ causing the server to apply configuration intended for one host to any
+ other innocent clients that come along later. [ISC-Bugs #22018]
-- Relax the requirements for deleting an A or AAAA record.
- Previously the DDNS removal code required both the A or AAAA
- record and the TXT record to exist. This requirement could
- cause problems if something interrupted the removal leaving
- the TXT record alone. This relaxation was codified in RFC 4703.
- [ISC-Bugs #30734]
+- Minor code fixes
+ [ISC-Bugs #19566] When trying to find the zone for a name for ddns allow
+ the name to be at the apex of the zone.
+ [ISC-Bugs #19617] Restrict length of interface name read from command line
+ in dhcpd - based on a patch from David Cantrell at Red Hat.
+ [ISC-Bugs #20039] Correct some error messages in dhcpd.c
+ [ISC-Bugs #20070] Better range check on values when creating a DHCID.
+ [ISC-Bugs #20198] Avoid writing past the end of the field when adding
+ overly long file or server names to a packet and add a log message
+ if the configuration supplied overly long names for these fields.
+ Thanks to Martin Pala.
+ [ISC-Bugs #21497] Add a little more randomness to rng seed in client
+ thanks to a patch from Jeremiah Jinno.
-- Modify the failover code to handle incorrect peer names
- better. Previously the structure holding the name might
- have been freed inappropriately in some cases and not
- freed in other cases.
- [ISC-Bugs #30320]
+- Correct error handling in DLPI [ISC-Bugs #20378]
-- Add a configure option, enable-secs-byteorder, to deal with
- clients that do the byte ordering on the secs field incorrectly.
- This field should be in network byte order but some clients
- get it wrong. When this option is enabled the server will examine
- the secs field and if it looks wrong (high byte non zero and low
- byte zero) swap the bytes. The default is disabled. This option
- is only useful when doing load balancing within failover.
- [ISC-Bugs #26108]
+- Remove __sun__ and __hpux__ typedefs in osdep.h as they are now being
+ checked in configure. [ISC-Bugs #20443]
-- Fix a set of issues that were discovered via a code inspection
- tool. Thanks to Jiri Popelka and Tomas Hozza Red Hat for the logs
- and patches.
- [ISC-Bugs #23833]
+- Modify how the cmsg header is allocated the v6 send and received routines
+ to compile on more compilers. [ISC-Bugs #20524]
-- Parsing unquoted base64 strings improved. Parser now properly handles
- strings that contain reserved names. [ISC-Bugs #23048]
-
-- Modify the nak_lease function to make some attempts to find a
- server-identifier option to use for the NAK.
- [ISC-Bugs #25689]
-
-- The client now passes information about the options it requested
- from the server to the script code via environment variables.
- These variables are of the form requested_<option_name>=1 with
- the option name being the same as used in the new_* and old_*
- variables.
- [ISC-Bugs #29068]
-
-- Add support for a simple check that the server id in a request message
- to a failover peer matches the server id of the server. This support
- is enabled by editing the file includes/site.h and uncommenting the
- definition for SERVER_ID_CHECK. The option has several restrictions
- and issues - please read the comment in the site.h file before
- enabling it.
- [ISC-Bugs #31463]
-
-- Tidy up some compiler issues in the debug code.
- [ISC-Bugs #26460]
-
-- Move the dhcpd.conf exmample file to dhcpd.conf.example to avoid
- overwriting the dhcpd.conf file when installing a new version of
- ISC DHCP. The user will now need to manual copy and edit the
- dhcpd.conf file as desired.
- [ISC-Bugs #19337]
-
-- Check the status value when trying to read from a connection to
- see if it may have been closed. If it appears closed don't try
- to read from it again. This avoids a potential busy-wait like
- loop when the peer names are mismatched.
- [ISC-Bugs #31231]
-
-- Remove an unused variable to keep compilers happy.
- [ISC-Bugs #31983]
-
-- Modify test makefiles to be more similar to standard makefiles
- and comment out a currently unused test.
- [ISC-Bugs #32089]
-
- Changes since 4.2.3
+- When parsing a domain name free the memory for the name after we are
+ done with it. [ISC-Bugs #20824]
-! Add a check for a null pointer before calling the regexec function.
- Without this check we could, under some circumstances, pass
- a null pointer to the regexec function causing it to segfault.
- Thanks to a report from BlueCat Networks.
- [ISC-Bugs #26704].
- CVE: CVE-2011-4539
+- Add an elapsed time option to the release message and refactor the
+ code to move most of the common code to a single routine.
+ [ISC-Bugs #21171].
-! Modify the DDNS handling code. In a previous patch we added logging
- code to the DDNS handling. This code included a bug that caused it
- to attempt to dereference a NULL pointer and eventually segfault.
- While reviewing the code as we addressed this problem, we determined
- that some of the updates to the lease structures would not work as
- planned since the structures being updated were in the process of
- being freed: these updates were removed. In addition we removed an
- incorrect call to the DDNS removal function that could cause a failure
- during the removal of DDNS information from the DNS server.
- Thanks to Jasper Jongmans for reporting this issue.
- [ISC-Bugs #27078]
- CVE: CVE-2011-4868
+- Two identical log messages for commit_leases() have been disambiguated.
+ [ISC-Bugs #18915]
-- Fixed the code that checks if an address the server is planning
- to hand out is in a reserved range. This would appear as
- the server being out of addresses in pools with particular ranges.
- [ISC-Bugs #26498]
+- Parse date strings more properly - the code now handles semi-colons in
+ date strings correctly. Thanks to a patch from Jiri Popelka at Red Hat.
+ [ISC-Bugs #21501, #20598]
-- In the DDNS code handle error conditions more gracefully and add more
- logging code. The major change is to handle unexpected cancel events
- from the DNS client code.
- [ISC-Bugs #26287]
+- Fixes to lease input and output.
+ [ISC-Bugs #20418] - Some systems don't support the "%s" argument to
+ strftime, paste together the same string using mktime instead.
+ [ISC-Bugs #19596] - When parsing iaid values accept printable
+ characters.
+ [ISC-Bugs #21585] - Always print time values in omshell as hex
+ instead of ascii if the values happen to be printable characters.
-- Tidy up the receive calls and eliminate the need for found_pkt.
- [ISC-Bugs #25066]
-
-- Add support for Infiniband over sockets to the server and
- relay code. We've tested this on Solaris and hope to expand
- support for Infiniband in the future. This patch also corrects
- some issues we found in the socket code.
- [ISC-Bugs #24245]
+- Minor changes for scripts, configure.ac and Makefiles
+ [ISC-Bugs #19147] Use domain-search instead of domain-name in manual and
+ example conf file. Thanks to a patch from David Cantrell
+ at Red Hat.
+ [ISC-Bugs #19761] Restore address when doing a rebind in DHCPv6
+ [ISC-Bugs #19945] Properly close the quote on some arguments.
+ [ISC-Bugs #20952] Add 64 bit types to configure.ac
+ [ISC-Bugs #21308] Add "PATH=" to CLIENT_PATH envrionment variable
-- Add a compile time check for the presence of the noreturn attribute
- and use it for log_fatal if it's available. This will help code
- checking programs to eliminate false positives.
- [ISC-Bugs #27539]
+- Update the code to parse dhcpv6 lease files to accept a semi-colon at
+ the end of the max-life and preferred-life clauses. In order to be
+ backwards compatible with older lease files not finding a semi-colon
+ is also accepted. [ISC-Bugs #22303].
-- Fixed many compilation problems ("set, but not used" warnings) for
- gcc 4.6 that may affect Ubuntu 11.10 users. [ISC-Bugs #27588]
+! Handle a relay forward message with an unspecified address in the
+ link address field. Previously such a message would cause the
+ server to crash. Thanks to a report from John Gibbons. [ISC-Bugs #21992]
+ CERT: VU#102047 CVE: CVE-2010-3611
-- Modify the code that determines if an outstanding DDNS request
- should be cancelled. This patch results in cancelling the
- outstanding request less often. It fixes the problem caused
- by a client doing a release where the TXT and PTR records
- weren't removed from the DNS.
- [ISC-BUGS #27858]
+- ./configure on longer searches for -lcrypto to explicitly link against.
+ This fixes a bug where 'dhclient' would have shared library dependencies
+ on '/usr/lib'. [ISC-Bugs #21967]
-- Use offsetof() instead of sizeof() to get the sizes for dhcpv6_relay_packet
- and dhcpv6_packet in several more places. Thanks to a report from
- Bruno Verstuyft and Vincent Demaertelaere of Excentis.
- [ISC-Bugs #27941]
+- Handle pipe failures more gracefully. Some OSes pass a SIGPIPE
+ signal to a process and will kill the process if the signal isn't
+ caught. This patch adds code to turn off the SIGPIPE signal via
+ a setsockopt() call. The signal is already being ignored as part
+ of the ISC library. [ISC-Bugs #22269]
-- Remove outdated note in the description of the bootp keyword about the
- option not satisfying the requirement of failover peers for denying
- dynamic bootp clients.
- [ISC-bugs #28574]
+- Restore printing of values in omshell to the style pre 21585. For
+ 21585 we changed the print routines to always display time values
+ as a hex list. This had a side effect of printing all data strings
+ as a hex list. We shall investigate other ways of displaying time
+ values more usefully. [ISC-Bugs #22626]
-- Multiple items to clean up IPv6 address processing.
- When processing an IA that we've seen check to see if the
- addresses are usable (not in use by somebody else) before
- handing it out.
- When reading in leases from the file discard expired addresses.
- When picking an address for a client include the IA ID in
- addition to the client ID to generally pick different addresses
- for different IAs.
- [ISC-Bugs #23138] [ISC-Bugs #27945] [ISC-Bugs #25586]
- [ISC-Bugs #27684]
+! Fix the handling of connection requests on the failover port.
+ Previously a connection request from a source that wasn't
+ listed as a failover peer would cause the server to become
+ non-responsive. Thanks to a report from Brad Bendily, brad@bendily.com.
+ [ISC-Bugs #22679]
+ CERT: VU#159528 CVE: CVE-2010-3616
-- Remove unnecessary checks in the lease query code and clean up
- several compiler issues (some dereferences of NULL and treating
- an int as a boolean).
- [ISC-Bugs #26203]
+- Don't pass the ISC_R_INPROGRESS status to the omapi signal handlers.
+ Passing it through to the handlers caused the omshell program to fail
+ to connect to the server. [ISC-Bugs #21839]
-- Fix the NA and PD allocation code to handle the case where a client
- provides a preference and the server doesn't have any addresses or
- prefixes available. Previously the server ignored the request with
- this patch it replies with a NoAddrsAvail or NoPrefixAvail response.
- By default the code performs according to the errata of August 2010
- for RFC 3315 section 17.2.2; to enable the previous style see the
- section on RFC3315_PRE_ERRATA_2010_08 in includes/site.h. This option
- may be removed in the future.
- Thanks to Jiri Popelka at Red Hat for the patch.
- [ISC-Bugs #22676]
+- Fix the paranthesis in the code to process configuration statements
+ beginning with "auth". The previous arrangement caused
+ "auto-partner-down" to be processed incorrectly. [ISC-Bugs #21854]
-- Fix up some issues found by static analysis.
- A potential memory leak and NULL dereference in omapi.
- The use of a boolean test instead of a bitwise test in dst.
- [ISC-Bugs #28941]
+- Limit the timeout period allowed in the dispatch code to 2^^32-1 seconds.
+ Thanks to a report from Jiri Popelka at Red Hat.
+ [ISC-Bugs #22033], [Red Hat Bug #628258]
-- Rotate the lease file when running in v6 mode.
- Thanks to Christoph Moench-Tegeder at Astaro for the
- report and the first version of the patch.
- [ISC-Bugs #24887]
+- When processing the format flags for a given option consume the
+ flag indicating an optional value correctly. A symptom of this
+ bug was an infinite loop when trying to parse the slp-service-scope
+ option. Thanks to a patch from Marius Tomaschewski.
+ [ISC-Bugs #22055]
- Changes since 4.2.2
+- Disable the use of kqueue in the ISC library. This avoids a problem
+ between the fork and socket code that caused the dhcpd process to
+ use all available cpu if the program daemonized itself.
+ [ISC-Bugs #21911]
-- Fix the code that checks for an existing DDNS transaction to cancel
- when removing DDNS information, so that we will continue with the
- processing if we have a lease even if it doesn't have an outstanding
- transaction. [ISC-Bugs #24682]
+! When processing a request in the DHCPv6 server code that specifies
+ an address that is tagged as abandoned (meaning we received a
+ decline request for it previously) don't attempt to move it from
+ the inactive to active pool as doing so can result in the server
+ crashing on an assert failure. Also retag the lease as active
+ and reset its timeout value.
+ [ISC-Bugs #21921]
+
+- Removed the restriction on using IPv6 addresses in IPv4 mode. This
+ allows IPv4 options which contain IPv6 addresses to be specified. For
+ example the 6rd option can be specified and used like this:
+ [ISC-Bugs #23039]
-- Add AM_MAINTAINER_MODE to configure.ac to avoid rebuilding
- configuration files. [ISC-Bugs #24107]
+ option 6rd code 212 = { integer 8, integer 8,
+ ip6-address, array of ip-address };
+ option 6rd 16 10 2001:: 1.2.3.4, 5.6.7.8;
-- Add support for passing DDNS information to a DNS server over
- an IPv6 address. [ISC-Bugs #22647]
+- Handle some DDNS corner cases better. Maintain the DDNS transaction
+ information when updating a lease and cancel any existing transactions
+ when removing the ddns information.
+ [ISC-Bugs #23103]
-- Enhanced patch for 23595 to handle IPv4 fixed addresses more
- cleanly. [ISC-Bugs #23595]
+- Some fixes for LDAP
+ [ISC-Bugs #21783] - Include lber library when building ldap
+ [ISC-Bugs #22888] - Enable the ldap code when buidling common
+ The above fixes are from Jiri Popelka at Red Hat.
- Changes since 4.2.1
+- Modify the dlpi code to accept getmsg() returning a positive value.
+ [ISC-Bugs #22824]
! In dhclient check the data for some string options for
reasonableness before passing it along to the script that
CVE-2011-2748
CVE-2011-2749
- Changes since 4.2.0
+- Fix the code that checks for an existing DDNS transaction to cancel
+ when removing DDNS information, so that we will continue with the
+ processing if we have a lease even if it doesn't have an outstanding
+ transaction. [ISC-Bugs #24682]
-- Documentation cleanup covering multiple tickets
- [ISC-Bugs #20265] [ISC-Bugs #20259] minor cleanup
- [ISC-Bugs #20263] add text describing some default values
- [ISC-Bugs #20193] single quotes at the start of a line indicate a control
- line to nroff, escape them if we actually want a quote.
- [ISC-Bugs #18916] sync the pointer to web pages amongst the different docs
+- Add AM_MAINTAINER_MODE to configure.ac to avoid rebuilding
+ configuration files. [ISC-Bugs #24107]
-- 'get-host-names true;' now also works even if 'use-host-decl-names true;'
- was also configured. The nature of this repair also fixes another
- error; the host-name supplied by a client is no longer overridden by a
- reverse lookup of the lease address. Thanks to a patch from Wilco Baan
- Hofman supplied to us by the Debian package maintenance team.
- [ISC-Bugs #21691] {Debian Bug#509445}
+- Add support for passing DDNS information to a DNS server over
+ an IPv6 address. [ISC-Bugs #22647]
-- The .TH tag for the dhcp-options manpage was typo repaired
- thanks to a report from jidanni and the Debian package maintenance
- team. [ISC-Bugs #21676] {Debian Bug#563613}
-
-- More documentation changes - primarily to put the options in the dhclient
- and dhcpd man pages into the standard form. Thanks in part to a patch
- from David Cantrell at Red Hat.
- [ISC-Bugs #20264] and parts of [ISC-Bugs #17744] dhclient.8 changes
-
-- Add code to clear the pointer to an object in an OMAPI handle when the
- object is freed due to a dereference. [ISC-Bugs #21306]
-
-- Fixed a bug that leaks host record references onto lease structures,
- causing the server to apply configuration intended for one host to any
- other innocent clients that come along later. [ISC-Bugs #22018]
-
-- Minor code fixes
- [ISC-Bugs #19566] When trying to find the zone for a name for ddns allow
- the name to be at the apex of the zone.
- [ISC-Bugs #19617] Restrict length of interface name read from command line
- in dhcpd - based on a patch from David Cantrell at Red Hat.
- [ISC-Bugs #20039] Correct some error messages in dhcpd.c
- [ISC-Bugs #20070] Better range check on values when creating a DHCID.
- [ISC-Bugs #20198] Avoid writing past the end of the field when adding
- overly long file or server names to a packet and add a log message
- if the configuration supplied overly long names for these fields.
- Thanks to Martin Pala.
- [ISC-Bugs #21497] Add a little more randomness to rng seed in client
- thanks to a patch from Jeremiah Jinno.
+- Enhanced patch for 23595 to handle IPv4 fixed addresses more
+ cleanly. [ISC-Bugs #23595]
-- Correct error handling in DLPI [ISC-Bugs #20378]
+! Add a check for a null pointer before calling the regexec function.
+ Without this check we could, under some circumstances, pass
+ a null pointer to the regexec function causing it to segfault.
+ Thanks to a report from BlueCat Networks.
+ [ISC-Bugs #26704].
+ CVE: CVE-2011-4539
-- Remove __sun__ and __hpux__ typedefs in osdep.h as they are now being
- checked in configure. [ISC-Bugs #20443]
+! Modify the DDNS handling code. In a previous patch we added logging
+ code to the DDNS handling. This code included a bug that caused it
+ to attempt to dereference a NULL pointer and eventually segfault.
+ While reviewing the code as we addressed this problem, we determined
+ that some of the updates to the lease structures would not work as
+ planned since the structures being updated were in the process of
+ being freed: these updates were removed. In addition we removed an
+ incorrect call to the DDNS removal function that could cause a failure
+ during the removal of DDNS information from the DNS server.
+ Thanks to Jasper Jongmans for reporting this issue.
+ [ISC-Bugs #27078]
+ CVE: CVE-2011-4868
-- Modify how the cmsg header is allocated the v6 send and received routines
- to compile on more compilers. [ISC-Bugs #20524]
+- Fixed the code that checks if an address the server is planning
+ to hand out is in a reserved range. This would appear as
+ the server being out of addresses in pools with particular ranges.
+ [ISC-Bugs #26498]
-- When parsing a domain name free the memory for the name after we are
- done with it. [ISC-Bugs #20824]
+- In the DDNS code handle error conditions more gracefully and add more
+ logging code. The major change is to handle unexpected cancel events
+ from the DNS client code.
+ [ISC-Bugs #26287]
-- Add an elapsed time option to the release message and refactor the
- code to move most of the common code to a single routine.
- [ISC-Bugs #21171].
+- Tidy up the receive calls and eliminate the need for found_pkt.
+ [ISC-Bugs #25066]
+
+- Add support for Infiniband over sockets to the server and
+ relay code. We've tested this on Solaris and hope to expand
+ support for Infiniband in the future. This patch also corrects
+ some issues we found in the socket code.
+ [ISC-Bugs #24245]
-- Two identical log messages for commit_leases() have been disambiguated.
- [ISC-Bugs #18915]
+- Add a compile time check for the presence of the noreturn attribute
+ and use it for log_fatal if it's available. This will help code
+ checking programs to eliminate false positives.
+ [ISC-Bugs #27539]
-- Parse date strings more properly - the code now handles semi-colons in
- date strings correctly. Thanks to a patch from Jiri Popelka at Red Hat.
- [ISC-Bugs #21501, #20598]
+- Fixed many compilation problems ("set, but not used" warnings) for
+ gcc 4.6 that may affect Ubuntu 11.10 users. [ISC-Bugs #27588]
-- Fixes to lease input and output.
- [ISC-Bugs #20418] - Some systems don't support the "%s" argument to
- strftime, paste together the same string using mktime instead.
- [ISC-Bugs #19596] - When parsing iaid values accept printable
- characters.
- [ISC-Bugs #21585] - Always print time values in omshell as hex
- instead of ascii if the values happen to be printable characters.
+- Modify the code that determines if an outstanding DDNS request
+ should be cancelled. This patch results in cancelling the
+ outstanding request less often. It fixes the problem caused
+ by a client doing a release where the TXT and PTR records
+ weren't removed from the DNS.
+ [ISC-BUGS #27858]
-- Minor changes for scripts, configure.ac and Makefiles
- [ISC-Bugs #19147] Use domain-search instead of domain-name in manual and
- example conf file. Thanks to a patch from David Cantrell
- at Red Hat.
- [ISC-Bugs #19761] Restore address when doing a rebind in DHCPv6
- [ISC-Bugs #19945] Properly close the quote on some arguments.
- [ISC-Bugs #20952] Add 64 bit types to configure.ac
- [ISC-Bugs #21308] Add "PATH=" to CLIENT_PATH envrionment variable
+- Use offsetof() instead of sizeof() to get the sizes for dhcpv6_relay_packet
+ and dhcpv6_packet in several more places. Thanks to a report from
+ Bruno Verstuyft and Vincent Demaertelaere of Excentis.
+ [ISC-Bugs #27941]
-- Update the code to parse dhcpv6 lease files to accept a semi-colon at
- the end of the max-life and preferred-life clauses. In order to be
- backwards compatible with older lease files not finding a semi-colon
- is also accepted. [ISC-Bugs #22303].
+- Remove outdated note in the description of the bootp keyword about the
+ option not satisfying the requirement of failover peers for denying
+ dynamic bootp clients.
+ [ISC-bugs #28574]
-! Handle a relay forward message with an unspecified address in the
- link address field. Previously such a message would cause the
- server to crash. Thanks to a report from John Gibbons. [ISC-Bugs #21992]
- CERT: VU#102047 CVE: CVE-2010-3611
+- Multiple items to clean up IPv6 address processing.
+ When processing an IA that we've seen check to see if the
+ addresses are usable (not in use by somebody else) before
+ handing it out.
+ When reading in leases from the file discard expired addresses.
+ When picking an address for a client include the IA ID in
+ addition to the client ID to generally pick different addresses
+ for different IAs.
+ [ISC-Bugs #23138] [ISC-Bugs #27945] [ISC-Bugs #25586]
+ [ISC-Bugs #27684]
-- ./configure on longer searches for -lcrypto to explicitly link against.
- This fixes a bug where 'dhclient' would have shared library dependencies
- on '/usr/lib'. [ISC-Bugs #21967]
+- Remove unnecessary checks in the lease query code and clean up
+ several compiler issues (some dereferences of NULL and treating
+ an int as a boolean).
+ [ISC-Bugs #26203]
-- Handle pipe failures more gracefully. Some OSes pass a SIGPIPE
- signal to a process and will kill the process if the signal isn't
- caught. This patch adds code to turn off the SIGPIPE signal via
- a setsockopt() call. The signal is already being ignored as part
- of the ISC library. [ISC-Bugs #22269]
+- Fix the NA and PD allocation code to handle the case where a client
+ provides a preference and the server doesn't have any addresses or
+ prefixes available. Previously the server ignored the request with
+ this patch it replies with a NoAddrsAvail or NoPrefixAvail response.
+ By default the code performs according to the errata of August 2010
+ for RFC 3315 section 17.2.2; to enable the previous style see the
+ section on RFC3315_PRE_ERRATA_2010_08 in includes/site.h. This option
+ may be removed in the future.
+ Thanks to Jiri Popelka at Red Hat for the patch.
+ [ISC-Bugs #22676]
-- Restore printing of values in omshell to the style pre 21585. For
- 21585 we changed the print routines to always display time values
- as a hex list. This had a side effect of printing all data strings
- as a hex list. We shall investigate other ways of displaying time
- values more usefully. [ISC-Bugs #22626]
+- Fix up some issues found by static analysis.
+ A potential memory leak and NULL dereference in omapi.
+ The use of a boolean test instead of a bitwise test in dst.
+ [ISC-Bugs #28941]
-! Fix the handling of connection requests on the failover port.
- Previously a connection request from a source that wasn't
- listed as a failover peer would cause the server to become
- non-responsive. Thanks to a report from Brad Bendily, brad@bendily.com.
- [ISC-Bugs #22679]
- CERT: VU#159528 CVE: CVE-2010-3616
+- Rotate the lease file when running in v6 mode.
+ Thanks to Christoph Moench-Tegeder at Astaro for the
+ report and the first version of the patch.
+ [ISC-Bugs #24887]
-- Don't pass the ISC_R_INPROGRESS status to the omapi signal handlers.
- Passing it through to the handlers caused the omshell program to fail
- to connect to the server. [ISC-Bugs #21839]
+- Correct code to calculate timing values in client to compare
+ rebind value to infinity instead of renew value.
+ Thanks to Chenda Huang from H3C Technologies Co., Limited
+ for reporting this issue.
+ [ISC-Bugs #29062]
-- Fix the paranthesis in the code to process configuration statements
- beginning with "auth". The previous arrangement caused
- "auto-partner-down" to be processed incorrectly. [ISC-Bugs #21854]
+- Fix some issues in the code for parsing and printing options.
+ [ISC-Bugs #22625] - properly print options that have several fields
+ followed by an array of something for example "fIa"
+ [ISC-Bugs #27289] - properly parse options in declarations that have
+ several fields followed by an array of something for example "fIa"
+ [ISC-Bugs #27296] - properly determine if we parsed a 16 or 32 bit
+ value in evaluate_numeric_expression (extract-int).
+ [ISC-Bugs #27314] - properly parse a zero length option from
+ a lease file. Thanks to Marius Tomaschewski from SUSE for the report
+ and prototype patch for this ticket as well as ticket 27289.
-- Limit the timeout period allowed in the dispatch code to 2^^32-1 seconds.
- Thanks to a report from Jiri Popelka at Red Hat.
- [ISC-Bugs #22033], [Red Hat Bug #628258]
+! Previously the server code was relaxed to allow packets with zero
+ length client ids to be processed. Under some situations use of
+ zero length client ids can cause the server to go into an infinite
+ loop. As such ids are not valid according to RFC 2132 section 9.14
+ the server no longer accepts them. Client ids with a length of 1
+ are also invalid but the server still accepts them in order to
+ minimize disruption. The restriction will likely be tightened in
+ the future to disallow ids with a length of 1.
+ Thanks to Markus Hietava of Codenomicon CROSS project for the
+ finding this issue and CERT-FI for vulnerability coordination.
+ [ISC-Bugs #29851]
+ CVE: CVE-2012-3571
-- When processing the format flags for a given option consume the
- flag indicating an optional value correctly. A symptom of this
- bug was an infinite loop when trying to parse the slp-service-scope
- option. Thanks to a patch from Marius Tomaschewski.
- [ISC-Bugs #22055]
+! When attempting to convert a DUID from a client id option
+ into a hardware address handle unexpected client ids properly.
+ Thanks to Markus Hietava of Codenomicon CROSS project for the
+ finding this issue and CERT-FI for vulnerability coordination.
+ [ISC-Bugs #29852]
+ CVE: CVE-2012-3570
-- Disable the use of kqueue in the ISC library. This avoids a problem
- between the fork and socket code that caused the dhcpd process to
- use all available cpu if the program daemonized itself.
- [ISC-Bugs #21911]
+! A pair of memory leaks were found and fixed. Thanks to
+ Glen Eustace of Massey University, New Zealand for finding
+ this issue.
+ [ISC-Bugs #30024]
+ CVE: CVE-2012-3954
-! When processing a request in the DHCPv6 server code that specifies
- an address that is tagged as abandoned (meaning we received a
- decline request for it previously) don't attempt to move it from
- the inactive to active pool as doing so can result in the server
- crashing on an assert failure. Also retag the lease as active
- and reset its timeout value.
- [ISC-Bugs #21921]
-
-- Removed the restriction on using IPv6 addresses in IPv4 mode. This
- allows IPv4 options which contain IPv6 addresses to be specified. For
- example the 6rd option can be specified and used like this:
- [ISC-Bugs #23039]
+- Existing legacy unit-tests have been migrated to Automated Test
+ Framework (ATF). Several new tests have been developed. To enable
+ unit-tests, please use --with-atf in configure script. A Developer's
+ Guide has been added. To generate it, please use make devel in
+ the doc directory. It is currently in early stages of development,
+ but is expected to grow in the near future. [ISC-Bugs 25901]
- option 6rd code 212 = { integer 8, integer 8,
- ip6-address, array of ip-address };
- option 6rd 16 10 2001:: 1.2.3.4, 5.6.7.8;
+! An issue with the use of lease times was found and fixed. Making
+ certain changes to the end time of an IPv6 lease could cause the
+ server to abort. Thanks to Glen Eustace of Massey University,
+ New Zealand for finding this issue.
+ [ISC-Bugs #30281]
+ CVE: CVE-2012-3955
-- Handle some DDNS corner cases better. Maintain the DDNS transaction
- information when updating a lease and cancel any existing transactions
- when removing the ddns information.
- [ISC-Bugs #23103]
+- Update the memory leakage debug code to work with v6.
+ [ISC-Bugs #30297]
-- Some fixes for LDAP
- [ISC-Bugs #21783] - Include lber library when building ldap
- [ISC-Bugs #22888] - Enable the ldap code when buidling common
- The above fixes are from Jiri Popelka at Red Hat.
+- Relax the requirements for deleting an A or AAAA record.
+ Previously the DDNS removal code required both the A or AAAA
+ record and the TXT record to exist. This requirement could
+ cause problems if something interrupted the removal leaving
+ the TXT record alone. This relaxation was codified in RFC 4703.
+ [ISC-Bugs #30734]
-- Modify the dlpi code to accept getmsg() returning a positive value.
- [ISC-Bugs #22824]
+- Modify the failover code to handle incorrect peer names
+ better. Previously the structure holding the name might
+ have been freed inappropriately in some cases and not
+ freed in other cases.
+ [ISC-Bugs #30320]
- Changes since 4.2.0b2
+- Add a configure option, enable-secs-byteorder, to deal with
+ clients that do the byte ordering on the secs field incorrectly.
+ This field should be in network byte order but some clients
+ get it wrong. When this option is enabled the server will examine
+ the secs field and if it looks wrong (high byte non zero and low
+ byte zero) swap the bytes. The default is disabled. This option
+ is only useful when doing load balancing within failover.
+ [ISC-Bugs #26108]
-- Add declaration for variable in debug code in alloc.c. [ISC-Bugs #21472]
+- Fix a set of issues that were discovered via a code inspection
+ tool. Thanks to Jiri Popelka and Tomas Hozza Red Hat for the logs
+ and patches.
+ [ISC-Bugs #23833]
- Changes since 4.2.0b1
+- Parsing unquoted base64 strings improved. Parser now properly handles
+ strings that contain reserved names. [ISC-Bugs #23048]
-- Prohibit including lease time information in a response to a DHCP INFORM.
- [ISC-Bugs #21092]
+- Modify the nak_lease function to make some attempts to find a
+ server-identifier option to use for the NAK.
+ [ISC-Bugs #25689]
-! Accept a client id of length 0 while hashing. Previously the server would
- exit if it attempted to hash a zero length client id, providing attackers
- with a simple denial of service attack. [ISC-Bugs #21253]
- CERT: VU#541921 - CVE: CVE-2010-2156
+- The client now passes information about the options it requested
+ from the server to the script code via environment variables.
+ These variables are of the form requested_<option_name>=1 with
+ the option name being the same as used in the new_* and old_*
+ variables.
+ [ISC-Bugs #29068]
-- A memory leak in ddns processing was closed. [ISC-Bugs #21377]
+- Add support for a simple check that the server id in a request message
+ to a failover peer matches the server id of the server. This support
+ is enabled by editing the file includes/site.h and uncommenting the
+ definition for SERVER_ID_CHECK. The option has several restrictions
+ and issues - please read the comment in the site.h file before
+ enabling it.
+ [ISC-Bugs #31463]
-- Modify the exception handling for initial context creation. Previously
- we would try and clean up before exiting. This could present problems
- when the cleanup required part of the context that wasn't available. It
- also didn't do much as we exited afterwards anyway. Now we simply log
- the error and exit. [ISC-Bugs #21093]
+- Tidy up some compiler issues in the debug code.
+ [ISC-Bugs #26460]
-- A bug was fixed that could cause the DHCPv6 server to advertise/assign a
- previously allocated (active) lease to a client that has changed subnets,
- despite being on different shared networks. Dynamic prefixes specifically
- allocated in shared networks also now are not offered if the client has
- moved. [ISC-Bugs #21152]
+- Move the dhcpd.conf exmample file to dhcpd.conf.example to avoid
+ overwriting the dhcpd.conf file when installing a new version of
+ ISC DHCP. The user will now need to manual copy and edit the
+ dhcpd.conf file as desired.
+ [ISC-Bugs #19337]
-- Add some debugging output for use with the DDNS code. [ISC-Bugs #20916]
+- Check the status value when trying to read from a connection to
+ see if it may have been closed. If it appears closed don't try
+ to read from it again. This avoids a potential busy-wait like
+ loop when the peer names are mismatched.
+ [ISC-Bugs #31231]
-- Fix the trace code to handle timing events better and to truncate a file
- before using instead of overwriting it. [ISC-Bugs #20969]
+- Remove an unused variable to keep compilers happy.
+ [ISC-Bugs #31983]
-- Modify the determination of the default TTL to use for DDNS updates.
- The user may still configure the ttl via ddns-ttl. The default for
- both v4 and v6 is now 1/2 the (preferred) lease time with a limit. The
- previous defaults (1/2 lease time without a limit for v4 and a default
- value for v6) may be used by defining USE_OLD_DDNS_TTL in site.h
- [ISC-Bugs #21126]
+- Modify test makefiles to be more similar to standard makefiles
+ and comment out a currently unused test.
+ [ISC-Bugs #32089]
-- libisc/libdns is now brought up to version 9.7.1rc1. This corrects
- three reported flaws in ISC DHCP;
+- Address static analysis warnings.
+ [ISC-Bugs #33510] [ISC-Bugs #33511]
- o DHCP processes (dhcpd, dhclient) fail to start if one of either the
- IPv4 or IPv6 address families is not present. [ISC-Bugs #21122]
+- Silence benign static analysis warnings.
+ [ISC-Bugs #33428]
- o Assertion failure when attempting to cancel a previously running DDNS
- update. [ISC-Bugs #21133]
+- Add check for 64-bit package for atf.
+ [ISC-Bugs #32206]
- o Compilation failure of libisc/libdns due to the use of a flexible
- array member. [ISC-Bugs #21316]
+- Use newer auto* tool packages and turn on RFC_3542 support on Mac OS.
+ [ISC-Bugs #26303]
- Changes since 4.2.0a2
+- Remove a variable when it isn't being used due to #ifdefs to avoid
+ a compiler warning on Solaris using GCC.
+ [ISC-Bugs #33032]
-- Update the fsync code to work with the changes to the DDNS code. It now
- uses a timer instead of noticing if there are no more packets to process.
+- Add a check for too much whitespace in a config or lease file.
+ Thanks to Paolo Pellegrino for finding the issue and a suggestion
+ for the patch.
+ [ISC-Bugs #33351]
-- When constructing the DNS name structure from a text string append
- the root to relative names. This satisfies a requirement in the DNS
- library that names be absolute instead of relative and prevents DHCP
- from crashing. [ISC-Bugs #21054]
+- Fix several problems with using OMAPI to manipulate class and subclass
+ objects.
+ [ISC-Bugs #27452]
-- "The LDAP Patch" that has been circulating for some time, written by
- Brian Masney and S.Kalyanasundraram and maintained for application to
- the DHCP-4 sources by David Cantrell has been included. Please be
- advised that these sources were contributed, and do not yet meet the
- high standards we place on production sources we include by default.
- As a result, the LDAP features are only included by using a compile-time
- option which defaults off, and if you enable it you do so under your
- own recognizance. We will be improving this software over time.
- [ISC-Bugs #17741]
+- Added a sleep call after killing the old client to allow time
+ for the sockets to be cleaned. This should allow the -r option
+ to work more consistently.
+ [ISC-Bugs #18175]
- Changes since 4.2.0a1
+- Missing files for ISC DHCP Developer's Guide are now included in
+ the release tarballs. To generate this documentation, please use
+ make devel command in doc directory. [ISC-Bugs #32767]
-- When using 'ignore client-updates;', the FQDN returned to the client
- is no longer truncated to one octet.
+- Update client script for use with openwrt.
+ [ISC-Bugs #29843]
-- Cleaned up an unused hardware address variable in nak_lease().
+- Fix the socket handling for DHCPv6 clients to allow multiple instances
+ of a client on a single machine to work properly. Previously only
+ one client would receive the packets. Thanks to Jiri Popelka at Red Hat
+ for the bug report and a potential patch.
+ [ISC-Bugs #34784]
-- Manpage entries for the ia-pd and ia-prefix options were updated to
- reflect support for prefix delegation.
+- Added support for gentle shutdown after signal is received.
+ [ISC-Bugs #32692] [ISC-Bugs 34945]
-- Cleaned up some compiler warnings
+- Enhance the DHCPv6 server logging to include the addresses that are assigned
+ to the clients.
+ [ISC-Bugs #26377]
-- An optimization described in the failover protocol draft is now included,
- which permits a DHCP server operating in communications-interrupted state
- to 'rewind' a lease to the state most recently transmitted to its peer,
- greatly increasing a server's endurance in communications-interrupted.
- This is supported using a new 'rewind state' record on the dhcpd.leases
- entry for each lease.
+- Fix an operation in the DDNS code to be a bitwise instead of logical or.
+ [ISC-Bugs #35138]
-- Fix the trace code which was broken by the changes to the DDNS code.
Changes since 4.1.0 (new features)
projects / thirdparty / dhcp.git / commitdiff
