From: Ondřej Surý Date: Fri, 24 Sep 2021 07:58:47 +0000 (+0200) Subject: Add CHANGES and release note for [GL #2899] X-Git-Tag: v9.11.36~2^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3592cd02e01e22fa4887320b826a82776bdf8b2;p=thirdparty%2Fbind9.git Add CHANGES and release note for [GL #2899] --- diff --git a/CHANGES b/CHANGES index df56aa342a3..d95d870a5cc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +5736. [security] The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could + previously be abused by an attacker to significantly + degrade resolver performance. (CVE-2021-25219) + [GL #2899] + 5716. [bug] Multiple library names were mistakenly passed to the krb5-config utility when ./configure was invoked with the --with-gssapi=[/path/to/]krb5-config option. This diff --git a/doc/arm/notes-9.11.36.xml b/doc/arm/notes-9.11.36.xml index 1e04f9a7171..ce848309742 100644 --- a/doc/arm/notes-9.11.36.xml +++ b/doc/arm/notes-9.11.36.xml @@ -15,7 +15,24 @@ - None. + The lame-ttl option controls how long + named caches certain types of broken responses from + authoritative servers (see the security advisory + for details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of lame-ttl + to 0 and overriding any explicitly set value with + 0, effectively disabling this mechanism altogether. + ISC's testing has determined that doing that has a negligible impact + on resolver performance while also preventing abuse. Administrators + may observe more traffic towards servers issuing certain types of + broken responses than in previous BIND 9 releases, depending on client + query patterns. (CVE-2021-25219) + + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. [GL #2899]