6065. [placeholder]
-6064. [placeholder]
+6064. [security] An UPDATE message flood could cause named to exhaust all
+ available memory. This flaw was addressed by adding a
+ new "update-quota" statement that controls the number of
+ simultaneous UPDATE messages that can be processed or
+ forwarded. The default is 100. A stats counter has been
+ added to record events when the update quota is
+ exceeded, and the XML and JSON statistics version
+ numbers have been updated. (CVE-2022-3094) [GL #3523]
6063. [cleanup] The RSA and ECDSA parts of the DNSSEC has been
refactored for a better OpenSSL 3.x integration and
Security Fixes
~~~~~~~~~~~~~~
-- None.
+- An UPDATE message flood could cause :iscman:`named` to exhaust all
+ available memory. This flaw was addressed by adding a new
+ :any:`update-quota` option that controls the maximum number of
+ outstanding DNS UPDATE messages that :iscman:`named` can hold in a
+ queue at any given time (default: 100). (CVE-2022-3094)
+
+ ISC would like to thank Rob Schulhof from Infoblox for bringing this
+ vulnerability to our attention. :gl:`#3523`
New Features
~~~~~~~~~~~~
-- None.
+- The new :any:`update-quota` option can be used to control the number
+ of simultaneous DNS UPDATE messages that can be processed to update an
+ authoritative zone on a primary server, or forwarded to the primary
+ server by a secondary server. The default is 100. A new statistics
+ counter has also been added to record events when this quota is
+ exceeded, and the version numbers for the XML and JSON statistics
+ schemas have been updated. :gl:`#3523`
Removed Features
~~~~~~~~~~~~~~~~
projects / thirdparty / bind9.git / commitdiff
