From: Mark Andrews Date: Tue, 17 May 2016 04:00:38 +0000 (+1000) Subject: update for 9.9.9-P1 X-Git-Tag: v9.9.9-P1~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8b4fc65df4198e273843f7cee347983c5826fda;p=thirdparty%2Fbind9.git update for 9.9.9-P1 --- diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 01b779e455f..66ebc8b99a2 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -21,11 +21,12 @@
Introduction - This document summarizes significant changes since the last - production release of BIND on the corresponding major release - branch. - Please see the CHANGES file for a further list of bug fixes and - other changes. + This document summarizes changes since BIND 9.9.9: + + + BIND 9.9.9-P1 addresses Windows installation issues and a race + condition in the rbt/rbtdb implementation resulting in named + exiting due to assertion failures being detected.
@@ -44,38 +45,7 @@ - The resolver could abort with an assertion failure due to - improper DNAME handling when parsing fetch reply - messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] - - - - - Malformed control messages can trigger assertions in named - and rndc. This flaw is disclosed in CVE-2016-1285. [RT - #41666] - - - - - Specific APL data could trigger an INSIST. This flaw - is disclosed in CVE-2015-8704. [RT #41396] - - - - - Incorrect reference counting could result in an INSIST - failure if a socket error occurred while performing a - lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] - - - - - Insufficient testing when parsing a message allowed - records with an incorrect class to be be accepted, - triggering a REQUIRE failure when those records - were subsequently cached. This flaw is disclosed - in CVE-2015-8000. [RT #40987] + None. @@ -86,34 +56,7 @@ - The following resource record types have been implemented: - AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK. - - - - - Added a warning for a common misconfiguration involving forwarded - RFC 1918 and IPv6 ULA (Universal Local Address) zones. - - - - - Contributed software from Nominum is included in the source at - contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring - the performance of authoritative DNS servers, resperf for - testing the resolution performance of a caching DNS server, - resperf-report for generating a resperf report in HTML with - gnuplot graphs, and queryparse to extract DNS queries from - pcap capture files. This software is not installed by default - with BIND. - - - - - When loading a signed zone, named will - now check whether an RRSIG's inception time is in the future, - and if so, it will regenerate the RRSIG immediately. This helps - when a system's clock needs to be reset backwards. + None. @@ -123,32 +66,7 @@ - Updated the compiled-in addresses for H.ROOT-SERVERS.NET - and L.ROOT-SERVERS.NET. - - - - - The default preferred glue is now the address type of the - transport the query was received over. - - - - - On machines with 2 or more processors (CPU), the default value - for the number of UDP listeners has been changed to the number - of detected processors minus one. - - - - - Zone transfers now use smaller message sizes to improve - message compression. This results in reduced network usage. - - - - - named -V output now also includes operating system details. + None. @@ -158,14 +76,7 @@ - The Microsoft Windows install tool - BINDInstall.exe which requires a - non-free version of Visual Studio to be built, now uses two - files (lists of flags and files) created by the Configure - perl script with all the needed information which were - previously compiled in the binary. Read - win32utils/build.txt for more details. - [RT #38915] + None. @@ -175,35 +86,14 @@ - rndc flushtree now works even if there wasn't a cached node at the - specified name. [RT #41846] - - - - - Don't emit records with zero TTL unless the records were - received with a zero TTL. After being returned to waiting - clients, the answer will be discarded from the cache. [RT #41687] - - - - - When deleting records from a zone database, interior nodes - could be left empty but not deleted, damaging search - performance afterward. [RT #40997] [RT #41941] - - - - - The server could crash due to a use-after-free if a - zone transfer timed out. [RT #41297] + Windows installs were failing due to triggering UAC without + the installation binary being signed. - Authoritative servers that were marked as bogus (e.g. blackholed - in configuration or with invalid addresses) were being queried - anyway. [RT #41321] + A race condition in rbt/rbtdb was leading to INSISTs being + triggered.