From: Ondřej Surý Date: Fri, 24 Sep 2021 07:58:47 +0000 (+0200) Subject: Add CHANGES and release note for [GL #2899] X-Git-Tag: v9.17.20~18^2~5^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=88c6b4e7af0563ca1092abb4ffeb2cbe0c76e768;p=thirdparty%2Fbind9.git Add CHANGES and release note for [GL #2899] --- diff --git a/CHANGES b/CHANGES index 469572de246..054e1246d35 100644 --- a/CHANGES +++ b/CHANGES @@ -65,7 +65,11 @@ 5737. [bug] Address Coverity warning in lib/dns/dnssec.c. [GL #2935] -5736. [placeholder] +5736. [security] The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could + previously be abused by an attacker to significantly + degrade resolver performance. (CVE-2021-25219) + [GL #2899] 5735. [cleanup] The result codes which BIND 9 uses internally are now all defined as a single list of enum values rather than diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index b7f8f0e08b2..f38347a0e49 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -14,7 +14,21 @@ Notes for BIND 9.17.18 Security Fixes ~~~~~~~~~~~~~~ -- None. +- The ``lame-ttl`` option controls how long ``named`` caches certain + types of broken responses from authoritative servers (see the + `security advisory `_ for + details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of ``lame-ttl`` to ``0`` and + overriding any explicitly set value with ``0``, effectively disabling + this mechanism altogether. ISC's testing has determined that doing + that has a negligible impact on resolver performance while also + preventing abuse. Administrators may observe more traffic towards + servers issuing certain types of broken responses than in previous + BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. :gl:`#2899` Known Issues ~~~~~~~~~~~~