<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
- <para>
- <command>named</command> could crash during recursive processing
- of DNAME records when <command>deny-answer-aliases</command> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
- </para>
- </listitem>
- <listitem>
- <para>
- When recursion is enabled but the <command>allow-recursion</command>
- and <command>allow-query-cache</command> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <command>allow-query</command>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </para>
- </listitem>
- <listitem>
- <para>
- The serve-stale feature could cause an assertion failure in
- rbtdb.c even when stale-answer-enable was false. The
- simultaneous use of stale cache records and NSEC aggressive
- negative caching could trigger a recursion loop in the
- <command>named</command> process. This flaw is disclosed in
- CVE-2018-5737. [GL #185]
- </para>
- </listitem>
- <listitem>
- <para>
- A bug in zone database reference counting could lead to a crash
- when multiple versions of a slave zone were transferred from a
- master in close succession. This flaw is disclosed in
- CVE-2018-5736. [GL #134]
- </para>
- </listitem>
- <listitem>
- <para>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> could crash if it managed a DNSSEC
- security root with <command>managed-keys</command> and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
- </para>
- </listitem>
- <listitem>
- <para>
- Zone transfer controls for writable DLZ zones were not
- effective as the <command>allowzonexfr</command> method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
+ <para>
+ In certain configurations, <command>named</command> could crash
+ with an assertion failure if <command>nxdomain-redirect</command>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
- <command>update-policy</command> rules that otherwise ignore the
- name field now require that it be set to "." to ensure that any
- type list present is properly interpreted. Previously, if the
- name field was omitted from the rule declaration but a type list
- was present, it wouldn't be interpreted as expected.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <command>root-key-sentinel no;</command> to
- <filename>named.conf</filename>. [GL #37]
- </para>
- </listitem>
- <listitem>
- <para>
- Add the ability to not return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned
- add <command>answer-cookie no;</command> to
- <filename>named.conf</filename>. [GL #173]
- </para>
- <para>
- <command>answer-cookie no</command> is only intended as a
- temporary measure, for use when <command>named</command>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the
- same address is not expected to cause operational problems,
- but the option to disable COOKIE responses so that all
- servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security
- mechanism, and should not be disabled unless absolutely
- necessary.
- </para>
- </listitem>
- <listitem>
- <para>
- Two new update policy rule types have been added
- <command>krb5-selfsub</command> and <command>ms-selfsub</command>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </para>
- </listitem>
- <listitem>
- <para>
- The new configure option <command>--enable-fips-mode</command>
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
+ None.
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
- BIND now can be compiled against libidn2 library to add
- IDNA2008 support. Previously BIND only supported IDNA2003
- using (now obsolete) idnkit-1 library.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>dig +noidnin</command> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </para>
- </listitem>
- <listitem>
- <para>
- The <command>rndc nta</command> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <command>-class</command>
- option. [GL #105]
- </para>
- </listitem>
- <listitem>
- <para>
- When compiled with IDN support, the <command>dig</command> and the
- <command>nslookup</command> commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when <command>dig</command> or <command>nslookup</command>
- is used from the shell scripts.
+ None.
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
- When a negative trust anchor was added to multiple views
- using <command>rndc nta</command>, the text returned via
- <command>rndc</command> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <command>named</command> to abort when loading zones. [GL #339]
+ None.
</para>
</listitem>
</itemizedlist>
projects / thirdparty / bind9.git / commitdiff
