From: Tinderbox User Date: Wed, 6 May 2020 06:31:30 +0000 (+0000) Subject: prep 9.14.12 X-Git-Tag: v9.14.12~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43046e10fb1556c66d49c1b885e93c49d07aca4e;p=thirdparty%2Fbind9.git prep 9.14.12 --- diff --git a/CHANGES b/CHANGES index 66fcf12ea0a..4e3dc618634 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.14.12 released --- + 5395. [security] Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. diff --git a/README b/README index bf1ca021939..6193f7e133e 100644 --- a/README +++ b/README @@ -200,6 +200,11 @@ BIND 9.14.11 BIND 9.14.11 is a maintenance release. +BIND 9.14.12 + +BIND 9.14.12 is a maintenance release, and also addresses the security +vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617. + Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, diff --git a/README.md b/README.md index d8419ad7a7c..29e98596877 100644 --- a/README.md +++ b/README.md @@ -217,6 +217,11 @@ BIND 9.14.10 is a maintenance release. BIND 9.14.11 is a maintenance release. +#### BIND 9.14.12 + +BIND 9.14.12 is a maintenance release, and also addresses the security +vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617. + ### Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 6c6200765c4..09c126688fd 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index d434346b952..44df1424933 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 26071b1215b..e091adb9ec5 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls { -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 0b13d02a6f9..ff605d1fbb7 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 280d60aec03..be30e0e1ae6 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -7173,10 +7173,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query - is terminated and returns SERVFAIL. Queries to - look up top level domains such as "com" and "net" - and the DNS root zone are exempt from this limitation. - The default is 75. + is terminated and returns SERVFAIL. The default is 75.

notify-delay
@@ -14955,6 +14952,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 80d95ddf764..05729c2fd87 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -362,6 +362,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index e187c4b682a..c335aba6153 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 32415f96bb3..ec7cf958fc6 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,12 +36,13 @@

Table of Contents

-
Release Notes for BIND Version 9.14.11
+
Release Notes for BIND Version 9.14.12
Introduction
Note on Version Numbering
Supported Platforms
Download
+
Notes for BIND 9.14.12
Notes for BIND 9.14.11
Notes for BIND 9.14.10
Notes for BIND 9.14.9
@@ -62,7 +63,7 @@

-Release Notes for BIND Version 9.14.11

+Release Notes for BIND Version 9.14.12

@@ -96,7 +97,7 @@ cleanup, and some very old code has been removed that supported obsolete operating systems and operating systems for which ISC is no longer able to perform quality assurance testing. Specifically, - workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster + workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster, and IRIX have been removed.

@@ -109,7 +110,7 @@ More information can be found in the PLATFORM.md file that is included in the source distribution of BIND 9. If your platform compiler and system libraries provide the above features, - BIND 9 should compile and run. If that isn't the case, the BIND + BIND 9 should compile and run. If that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors.

@@ -137,6 +138,54 @@

+Notes for BIND 9.14.12

+ +
+

+Security Fixes

+
    +
  • +

    + To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + max-recursion-queries limit. Fetches for missing + name server address records are limited to 4 for any domain. This + issue was disclosed in CVE-2020-8616. [GL #1388] +

    +
    • +
  • +

    + Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. This was disclosed in + CVE-2020-8617. [GL #1703] +

    +
    • +
  • +

    + DNS rebinding protection was ineffective when BIND 9 was configured + as a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] +

    +
    • +
+
+ +
+

+Bug Fixes

+
  • +

    + Fixed re-signing issues with inline zones which resulted in + records being re-signed late or not at all. +

    +
+
+ +
+
+

Notes for BIND 9.14.11

@@ -1057,8 +1106,9 @@

End of Life

- The end of life date for BIND 9.14 has not yet been determined. - For those needing long term support, the current Extended Support + BIND 9.16 has replaced 9.14 as the current stable version. + This BIND release is the last one in the BIND 9.14 release train. + For those needing long-term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See https://kb.isc.org/docs/aa-00896 @@ -1092,6 +1142,6 @@

-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 5a7533c3120..22d16cce6c8 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 90e942b3ddc..b98bbee09f2 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@

-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 7610e9f77e2..33459d95bcf 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -533,6 +533,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 26aedd2d882..93dba8be118 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index a282b6ec3e6..fdf1ac5bf47 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.14.11

+

BIND Version 9.14.12

Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")

@@ -242,12 +242,13 @@
A. Release Notes
-
Release Notes for BIND Version 9.14.11
+
Release Notes for BIND Version 9.14.12
Introduction
Note on Version Numbering
Supported Platforms
Download
+
Notes for BIND 9.14.12
Notes for BIND 9.14.11
Notes for BIND 9.14.10
Notes for BIND 9.14.9
@@ -447,6 +448,6 @@
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 60ce4fefc76..c1a4008c11d 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index ca364ad9981..e4a06ca353d 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 812bf29cd71..e111d158ea7 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index dce4c4c2ae5..e24982954d3 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -625,6 +625,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 69e4a829f5a..edc6a6e16e1 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -1166,6 +1166,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index 1658bf75217..172f20a58c2 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 52affae1b31..0be7fe6f709 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -150,6 +150,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 07a43afbb34..2e8d111d44d 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 8513df662b8..b64f5c737e7 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -352,6 +352,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index f2278e9899f..71a2b30d47b 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 9d93a4659b5..763119c0a3c 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -496,6 +496,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 34fc975fb07..af3bac65b26 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -557,6 +557,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index 8ecda85c875..03b32adfd59 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -405,6 +405,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index dac0ef89d06..7a774643d9c 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index b62fcd1e101..2c3dad3ba8b 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index f96a9d447cf..bcd4d322350 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -701,6 +701,6 @@ db.example.com.signed -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index bbffe67f7be..21d94402cd7 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -202,6 +202,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 9af66b9a117..dc01f8ff639 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 6562aa99f37..84542dbdf70 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 716a266d9a0..5287ca71108 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 4042e88603a..da8e8c78481 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -604,6 +604,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 18d07adb9ea..883214abd04 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -208,6 +208,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 2b1ccd0cd16..0b6cc38b03e 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 8b195bd0e9e..49e127ef768 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index c6c7e0ea90f..3f2780dad8a 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 673443c1f72..dd73932625b 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 64136b19e73..f78b92a3bca 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -1075,6 +1075,6 @@ zone -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 4dfeb5250a1..49e3db4326a 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 7c82408dc39..2d6eba35503 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 9046c27d8a9..59982bb8f86 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -443,6 +443,6 @@ nslookup -query=hinfo -timeout=10 -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index e6147caa7f9..8738b4b6cdb 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index 6c3f9b41e4c..766afd6c724 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index a0c35d64e94..38525b12174 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 92bd3c23c9c..92b946ed822 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index cecdaa46fca..054d45275f6 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 5e2abb9a378..e22596956e0 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index e41dc8a2d9e..5a16ea9d857 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 8ae68964633..51ab3216d5a 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -1024,6 +1024,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/notes-9.14.12.xml b/doc/arm/notes-9.14.12.xml index 42761216b81..f6cc8806de4 100644 --- a/doc/arm/notes-9.14.12.xml +++ b/doc/arm/notes-9.14.12.xml @@ -33,8 +33,8 @@ - DNS rebinding protection was ineffective when BIND 9 is configured as - a forwarding DNS server. Found and responsibly reported by Tobias + DNS rebinding protection was ineffective when BIND 9 was configured + as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] diff --git a/doc/arm/notes.html b/doc/arm/notes.html index cb0b4eab289..d9b43ece57c 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

-Release Notes for BIND Version 9.14.11

+Release Notes for BIND Version 9.14.12

@@ -49,7 +49,7 @@ cleanup, and some very old code has been removed that supported obsolete operating systems and operating systems for which ISC is no longer able to perform quality assurance testing. Specifically, - workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster + workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster, and IRIX have been removed.

@@ -62,7 +62,7 @@ More information can be found in the PLATFORM.md file that is included in the source distribution of BIND 9. If your platform compiler and system libraries provide the above features, - BIND 9 should compile and run. If that isn't the case, the BIND + BIND 9 should compile and run. If that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors.

@@ -90,6 +90,54 @@

+Notes for BIND 9.14.12

+ +
+

+Security Fixes

+
    +
  • +

    + To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + max-recursion-queries limit. Fetches for missing + name server address records are limited to 4 for any domain. This + issue was disclosed in CVE-2020-8616. [GL #1388] +

    +
    • +
  • +

    + Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. This was disclosed in + CVE-2020-8617. [GL #1703] +

    +
    • +
  • +

    + DNS rebinding protection was ineffective when BIND 9 was configured + as a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] +

    +
    • +
+
+ +
+

+Bug Fixes

+
  • +

    + Fixed re-signing issues with inline zones which resulted in + records being re-signed late or not at all. +

    +
+
+ +
+
+

Notes for BIND 9.14.11

@@ -1010,8 +1058,9 @@

End of Life

- The end of life date for BIND 9.14 has not yet been determined. - For those needing long term support, the current Extended Support + BIND 9.16 has replaced 9.14 as the current stable version. + This BIND release is the last one in the BIND 9.14 release train. + For those needing long-term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See https://kb.isc.org/docs/aa-00896 diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 1cfe96bbaf5..b8d21942021 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index 4a0db5b75e9..11b24a05f48 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.14.11 +Release Notes for BIND Version 9.14.12 Introduction @@ -22,7 +22,7 @@ Since 9.12, BIND has undergone substantial code refactoring and cleanup, and some very old code has been removed that supported obsolete operating systems and operating systems for which ISC is no longer able to perform quality assurance testing. Specifically, workarounds for UnixWare, BSD/OS, -AIX, Tru64, SunOS, TruCluster and IRIX have been removed. +AIX, Tru64, SunOS, TruCluster, and IRIX have been removed. On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and @@ -31,7 +31,7 @@ standard atomic operations provided by the C compiler. More information can be found in the PLATFORM.md file that is included in the source distribution of BIND 9. If your platform compiler and system libraries provide the above features, BIND 9 should compile and run. If -that isn't the case, the BIND development team will generally accept +that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors. @@ -49,6 +49,30 @@ www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +Notes for BIND 9.14.12 + +Security Fixes + + * To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + max-recursion-queries limit. Fetches for missing name server address + records are limited to 4 for any domain. This issue was disclosed in + CVE-2020-8616. [GL #1388] + + * Replaying a TSIG BADTIME response as a request could trigger an + assertion failure. This was disclosed in CVE-2020-8617. [GL #1703] + + * DNS rebinding protection was ineffective when BIND 9 was configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] + +Bug Fixes + + * Fixed re-signing issues with inline zones which resulted in records + being re-signed late or not at all. + Notes for BIND 9.14.11 Bug Fixes @@ -528,11 +552,11 @@ www.isc.org/mission/contact/. End of Life -The end of life date for BIND 9.14 has not yet been determined. For those -needing long term support, the current Extended Support Version (ESV) is -BIND 9.11, which will be supported until at least December 2021. See -https://kb.isc.org/docs/aa-00896 for details of ISC's software support -policy. +BIND 9.16 has replaced 9.14 as the current stable version. This BIND +release is the last one in the BIND 9.14 release train. For those needing +long-term support, the current Extended Support Version (ESV) is BIND +9.11, which will be supported until at least December 2021. See https:// +kb.isc.org/docs/aa-00896 for details of ISC's software support policy. Thank You diff --git a/lib/dns/api b/lib/dns/api index c89fe649399..ece8f2d40e0 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 LIBINTERFACE = 1312 -LIBREVISION = 1 +LIBREVISION = 2 LIBAGE = 0 diff --git a/version b/version index 78f9d4c13bd..3eba4cf796d 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Stable Release)" MAJORVER=9 MINORVER=14 -PATCHVER=11 +PATCHVER=12 RELEASETYPE= RELEASEVER= EXTENSIONS=