+5489. [bug] Named failed to reject some invalid records resulting
+ in records that, after being printed, could not be
+ loaded or would result in DNSSEC validation failures
+ when re-read from zone files as the wire format
+ differed. The covered records records are: CERT,
+ IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
+ X25. [GL !3953]
+
+5488. [bug] nta needed to have a weak reference on view to prevent
+ the view being deleted while nta tests are being
+ performed. [GL #2067]
+
+ --- 9.11.22 released ---
+
+ 5481. [security] "update-policy" rules of type "subdomain" were
+ incorrectly treated as "zonesub" rules, which allowed
+ keys used in "subdomain" rules to update names outside
+ of the specified subdomains. The problem was fixed by
+ making sure "subdomain" rules are again processed as
+ described in the ARM. (CVE-2020-8624) [GL #2055]
+
+ 5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
+ was possible to trigger an assertion failure in code
+ determining the number of bits in the PKCS#11 RSA public
+ key with a specially crafted packet. (CVE-2020-8623)
+ [GL #2037]
+
+ 5476. [security] It was possible to trigger an assertion failure when
+ verifying the response to a TSIG-signed request.
+ (CVE-2020-8622) [GL #2028]
+
+ 5475. [bug] Wildcard RPZ passthru rules could incorrectly be
+ overridden by other rules that were loaded from RPZ
+ zones which appeared later in the "response-policy"
+ statement. This has been fixed. [GL #1619]
+
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
projects / thirdparty / bind9.git / commitdiff
