From: Evan Hunt <each@isc.org>
Date: Fri, 24 May 2024 02:16:54 +0000 (-0700)
Subject: Add CHANGES and release note for [GL #3403]
X-Git-Tag: v9.20.0~8^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1bf7795b389fb6847a46ba801e85ad715d6403cb;p=thirdparty%2Fbind9.git

Add CHANGES and release note for [GL #3403]
---

diff --git a/CHANGES b/CHANGES
index 3165203b82a..c8e043e5143 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,19 @@
+6401.	[security]	An excessively large number of rrtypes per owner can
+			slow down database query processing, so a limit has been
+			placed on the number of rrtypes that can be stored per
+			owner (node) in a cache or zone database. This is
+			configured with the new "max-rrtypes-per-name" option,
+			and defaults to 100. (CVE-2024-1737)
+			[GL #3403] [GL #4548]
+
+6400.	[security]	Excessively large rdatasets can slow down database
+			query processing, so a limit has been placed on the
+			number of records that can be stored per rdataset
+			in a cache or zone database. This is configured
+			with the new "max-records-per-type" option, and
+			defaults to 100. (CVE-2024-1737)
+			[GL #497] [GL #3405]
+
 6399.	[security]	Malicious DNS client that sends many queries over
 			TCP but never reads responses can cause server to
 			respond slowly or not respond at all for other
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 1cda5eeab38..88b0fd75fa1 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -19,6 +19,21 @@ Security Fixes
   responses can cause server to respond slowly or not respond at all for other
   clients. :cve:`2024-0760` :gl:`#4481`
 
+- Excessively large resource record sets can be crafted to slow down
+  database processing. This has been addressed by adding a configurable
+  limit to the number of records that can be stored per name and type in
+  a cache or zone database. The default is 100, but it can be tuned with
+  the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405`
+
+  An excessively large number of resource record types for a single owner name can
+  be crafted to slow down database processing. This has been addressed by adding
+  a configurable limit to the number of records that can be stored per name and
+  type in a cache or zone database.  The default is 100, and can be tuned with
+  the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403`
+
+  ISC would like to thank Toshifumi Sakaguchi who independently discovered
+  and responsibly reported the issue to ISC. :gl:`#4548`
+
 New Features
 ~~~~~~~~~~~~