From: Mark Andrews <marka@isc.org>
Date: Thu, 16 Jun 2011 01:32:43 +0000 (+0000)
Subject: update for re-tag of 9.6-ESV-R5rc1
X-Git-Tag: v9.6-ESV-R5rc1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29b2abbbb4a38abc1b5a0a89db52acc6fec3444a;p=thirdparty%2Fbind9.git

update for re-tag of 9.6-ESV-R5rc1
---

diff --git a/RELEASE-NOTES-BIND-9.6-ESV.html b/RELEASE-NOTES-BIND-9.6-ESV.html
index 290359b220a..8392768ca3b 100644
--- a/RELEASE-NOTES-BIND-9.6-ESV.html
+++ b/RELEASE-NOTES-BIND-9.6-ESV.html
@@ -1,26 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!--
- - Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: RELEASE-NOTES-BIND-9.6-ESV.html,v 1.1.24.5 2011/05/31 00:51:09 tbox Exp $ -->
-
 <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
 
-  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2871687"></a>Introduction</h2></div></div></div>
+  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397648"></a>Introduction</h2></div></div></div>
     
     <p>
 			BIND 9.6-ESV-R5rc1 is the first release
@@ -33,7 +15,7 @@
 		</p>
   </div>
 
-  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3738187"></a>Download</h2></div></div></div>
+  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397612"></a>Download</h2></div></div></div>
     
     <p>
 			The latest release of BIND 9 software can always be found
@@ -45,7 +27,7 @@
 		</p>
   </div>
 
-  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3738232"></a>Support</h2></div></div></div>
+  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397703"></a>Support</h2></div></div></div>
     
     <p>Product support information is available on
       <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
@@ -56,9 +38,9 @@
     </p>
   </div>
 
-  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3738176"></a>New Features</h2></div></div></div>
+  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397838"></a>New Features</h2></div></div></div>
     
-		<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id3738244"></a>9.6-ESV-R5rc1</h3></div></div></div>
+		<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397843"></a>9.6-ESV-R5rc1</h3></div></div></div>
 			
 			<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
 Added a tool able to generate malformed packets to allow testing
@@ -68,11 +50,15 @@ of how named handles them.
 		</div>
   </div>
 
-  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2871698"></a>Security Fixes</h2></div></div></div>
+  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397763"></a>Security Fixes</h2></div></div></div>
     
-		<div class="section" title="9.7.4rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id3738297"></a>9.7.4rc1</h3></div></div></div>
+		<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397821"></a>9.6-ESV-R5rc1</h3></div></div></div>
 			
 			<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+processing code that could allow certain UPDATE requests to crash named.
+[RT #24777] [CVE-2011-2464]
+</li><li class="listitem">
 named, set up to be a caching resolver, is vulnerable to a
 user querying a domain with very large resource record sets (RRSets)
 when trying to negatively cache the response. Due to an off-by-one
@@ -82,9 +68,9 @@ error, caching the response could cause named to crash. [RT #24650]
 		</div>
   </div>
 
-  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3738316"></a>Feature Changes</h2></div></div></div>
+  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397866"></a>Feature Changes</h2></div></div></div>
     
-		<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id3738321"></a>9.6-ESV-R5rc1</h3></div></div></div>
+		<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397871"></a>9.6-ESV-R5rc1</h3></div></div></div>
 			
 			<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
 Merged in the NetBSD ATF test framework (currently
@@ -101,11 +87,15 @@ Replaced compile time constant with STDTIME_ON_32BITS.
 		</div>
   </div>
 
-  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3738348"></a>Bug Fixes</h2></div></div></div>
+  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397893"></a>Bug Fixes</h2></div></div></div>
     
-		<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id3738353"></a>9.6-ESV-R5rc1</h3></div></div></div>
+		<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397899"></a>9.6-ESV-R5rc1</h3></div></div></div>
 			
 	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+Improved the mechanism for flagging database entries as negative
+cache records; the former method, RR type 0, could be ambiguous.
+[RT #24777]
+</li><li class="listitem">
 During RFC5011 processing some journal write errors were not detected.
 This could lead to managed-keys changes being committed but not 
 recorded in the journal files, causing potential inconsistencies  
@@ -238,7 +228,7 @@ without using DLV and had DS records in the parent zone. [RT #24631]
 		</div>
   </div>
   
-  <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3738363"></a>Known issues in this release</h2></div></div></div>
+  <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1398060"></a>Known issues in this release</h2></div></div></div>
     
     <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
         <p>
@@ -259,7 +249,7 @@ without using DLV and had DS records in the parent zone. [RT #24631]
       </li></ul></div>
   </div>
 
-  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3738597"></a>Thank You</h2></div></div></div>
+  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1398098"></a>Thank You</h2></div></div></div>
     
     <p>
       Thank you to everyone who assisted us in making this release possible.
diff --git a/RELEASE-NOTES-BIND-9.6-ESV.pdf b/RELEASE-NOTES-BIND-9.6-ESV.pdf
index 70dd25de724..a2103412e52 100644
Binary files a/RELEASE-NOTES-BIND-9.6-ESV.pdf and b/RELEASE-NOTES-BIND-9.6-ESV.pdf differ
diff --git a/RELEASE-NOTES-BIND-9.6-ESV.txt b/RELEASE-NOTES-BIND-9.6-ESV.txt
index 3ef7675bf87..484664b561a 100644
--- a/RELEASE-NOTES-BIND-9.6-ESV.txt
+++ b/RELEASE-NOTES-BIND-9.6-ESV.txt
@@ -32,8 +32,11 @@ New Features
 
 Security Fixes
 
-9.7.4rc1
+9.6-ESV-R5rc1
 
+     * Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+       processing code that could allow certain UPDATE requests to crash
+       named. [RT #24777] [CVE-2011-2464]
      * named, set up to be a caching resolver, is vulnerable to a user
        querying a domain with very large resource record sets (RRSets)
        when trying to negatively cache the response. Due to an off-by-one
@@ -55,6 +58,9 @@ Bug Fixes
 
 9.6-ESV-R5rc1
 
+     * Improved the mechanism for flagging database entries as negative
+       cache records; the former method, RR type 0, could be ambiguous.
+       [RT #24777]
      * During RFC5011 processing some journal write errors were not
        detected. This could lead to managed-keys changes being committed
        but not recorded in the journal files, causing potential
diff --git a/RELEASE-NOTES-BIND-9.6-ESV.xml b/RELEASE-NOTES-BIND-9.6-ESV.xml
index bc59917300b..c39b4a73e8b 100644
--- a/RELEASE-NOTES-BIND-9.6-ESV.xml
+++ b/RELEASE-NOTES-BIND-9.6-ESV.xml
@@ -1,32 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!--
- - Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: RELEASE-NOTES-BIND-9.6-ESV.xml,v 1.1.2.4 2011/05/31 00:51:10 tbox Exp $ -->
-
 <article xmlns="http://docbook.org/ns/docbook" 
          xmlns:xl="http://www.w3.org/1999/xlink" version="5.0">
 
   <section>
     <title>Introduction</title>
     <para>
-			BIND 9.6-ESV-R5 is a maintenance release for BIND 9.6-ESV.
+			BIND 9.6-ESV-R5rc1 is the first release
+			candidate of BIND 9.6-ESV-R5.
 		</para>
     <para>
-			This document summarizes changes from BIND 9.6-ESV-R4 to BIND 9.6-ESV-R5.
+			This document summarizes changes from BIND 9.6-ESV-R4 to BIND 9.6-ESV-R5rc1.
 			Please see the CHANGES file in the source code release for a
 			complete list of all changes.
 		</para>
@@ -37,7 +20,7 @@
     <para>
 			The latest release of BIND 9 software can always be found
 	 		on our web site at
-      <link xl:href="http://www.isc.org/software/bind">http://www.isc.org/software/bind</link>.
+      <link xl:href="http://www.isc.org/downloads/all">http://www.isc.org/downloads/all</link>.
   		There you will find additional information about each release,
  			source code, and some pre-compiled versions for certain operating
  			systems.
@@ -58,7 +41,7 @@
   <section>
     <title>New Features</title>
 		<section>
-			<title>9.6-ESV-R5</title>
+			<title>9.6-ESV-R5rc1</title>
 			<itemizedlist>
 <listitem>
 Added a tool able to generate malformed packets to allow testing
@@ -69,10 +52,31 @@ of how named handles them.
 		</section>
   </section>
 
+  <section>
+    <title>Security Fixes</title>
+		<section>
+			<title>9.6-ESV-R5rc1</title>
+			<itemizedlist>
+<listitem>
+Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+processing code that could allow certain UPDATE requests to crash named.
+[RT #24777] [CVE-2011-2464]
+</listitem>
+<listitem>
+named, set up to be a caching resolver, is vulnerable to a
+user querying a domain with very large resource record sets (RRSets)
+when trying to negatively cache the response. Due to an off-by-one
+error, caching the response could cause named to crash. [RT #24650]
+[CVE-2011-1910]
+</listitem>
+			</itemizedlist>
+		</section>
+  </section>
+
   <section>
     <title>Feature Changes</title>
 		<section>
-			<title>9.6-ESV-R5</title>
+			<title>9.6-ESV-R5rc1</title>
 			<itemizedlist>
 <listitem>
 Merged in the NetBSD ATF test framework (currently
@@ -95,9 +99,14 @@ Replaced compile time constant with STDTIME_ON_32BITS.
   <section>
     <title>Bug Fixes</title>
 		<section>
-			<title>9.6-ESV-R5</title>
+			<title>9.6-ESV-R5rc1</title>
 	    <itemizedlist>
 <listitem>
+Improved the mechanism for flagging database entries as negative
+cache records; the former method, RR type 0, could be ambiguous.
+[RT #24777]
+</listitem>
+<listitem>
 During RFC5011 processing some journal write errors were not detected.
 This could lead to managed-keys changes being committed but not 
 recorded in the journal files, causing potential inconsistencies  
@@ -127,6 +136,9 @@ reload to fail, if a log file specified in the
 conf file isn't a plain file. (RT #22771]
 </listitem>
 <listitem>
+After an external code review, a code cleanup was done. [RT #22521]
+</listitem>
+<listitem>
 named now forces the ADB cache time for glue related data to zero  
 instead of relying on TTL.  This corrects problematic behavior in cases  
 where a server was authoritative for the A record of a nameserver for a  
@@ -138,8 +150,8 @@ Fix the zonechecks system test to fail on error (warning in 9.6,
 fatal in 9.7) to match behaviour for 9.4. [RT #22905]
 </listitem>
 <listitem>
-Fixed precedence order bug with NS and DNAME records if both are present.
-[RT #23035]
+Fixed precedence order bug with NS and DNAME records if both are
+present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
 </listitem>
 <listitem>
 The secure zone update feature in named is based on the zone being
@@ -247,6 +259,13 @@ When trying sign with NSEC3, if dnssec-signzone couldn't find the
 KSK, it would give an incorrect error "NSEC3 iterations too big for
 weakest DNSKEY strength" rather than the correct "failed to find
 keys at the zone apex: not found" [RT #24369]
+</listitem>
+<listitem>
+nsupdate could dump core on shutdown when using SIG(0) keys. [RT #24604]
+</listitem>
+<listitem>
+Named could fail to validate zones list in a DLV that validated insecure
+without using DLV and had DS records in the parent zone. [RT #24631]
 </listitem>
 			</itemizedlist>
 		</section>