From: Ondřej Surý Date: Fri, 24 Sep 2021 07:58:47 +0000 (+0200) Subject: Add CHANGES and release note for [GL #2899] X-Git-Tag: v9.16.22~3^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01f400585157b4bc51250761101eda0469bd54f8;p=thirdparty%2Fbind9.git Add CHANGES and release note for [GL #2899] --- diff --git a/CHANGES b/CHANGES index 0a5210b4410..ed24d6011d1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +5736. [security] The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could + previously be abused by an attacker to significantly + degrade resolver performance. (CVE-2021-25219) + [GL #2899] + 5727. [bug] Ignore the missing zones when doing a reload on a catalog zone, and make sure to restore them later on. [GL #2308] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 02995246994..1f4c147da20 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -14,7 +14,21 @@ Notes for BIND 9.16.22 Security Fixes ~~~~~~~~~~~~~~ -- None. +- The ``lame-ttl`` option controls how long ``named`` caches certain + types of broken responses from authoritative servers (see the + `security advisory `_ for + details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of ``lame-ttl`` to ``0`` and + overriding any explicitly set value with ``0``, effectively disabling + this mechanism altogether. ISC's testing has determined that doing + that has a negligible impact on resolver performance while also + preventing abuse. Administrators may observe more traffic towards + servers issuing certain types of broken responses than in previous + BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. :gl:`#2899` Known Issues ~~~~~~~~~~~~