diff options
Diffstat (limited to 'doc/arm/notes.xml')
| -rw-r--r-- | doc/arm/notes.xml | 158 |
1 files changed, 146 insertions, 12 deletions
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 913098e1afe3..79e8ed6d04d8 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -20,13 +20,8 @@ <sect2 id="relnotes_intro"> <title>Introduction</title> <para> - This document summarizes changes since BIND 9.9.7. - </para> - <para> - BIND 9.9.7-P2 addresses a security issue described in CVE-2015-5477. - </para> - <para> - BIND 9.9.7-P1 addresses a security issue described in CVE-2015-4620. + This document summarizes changes since the last production release + of BIND on the corresponding major release branch. </para> </sect2> <sect2 id="relnotes_download"> @@ -45,12 +40,29 @@ <itemizedlist> <listitem> <para> + An incorrect boundary check in the OPENPGPKEY rdatatype + could trigger an assertion failure. This flaw is disclosed + in CVE-2015-5986. [RT #40286] + </para> + </listitem> + <listitem> + <para> + A buffer accounting error could trigger an assertion failure + when parsing certain malformed DNSSEC keys. + </para> + <para> + This flaw was discovered by Hanno B쎶ck of the Fuzzing + Project, and is disclosed in CVE-2015-5722. [RT #40212] + </para> + </listitem> + <listitem> + <para> A specially crafted query could trigger an assertion failure in message.c. </para> <para> This flaw was discovered by Jonathan Foote, and is disclosed - in CVE-2015-5477. [RT #39795] + in CVE-2015-5477. [RT #40046] </para> </listitem> <listitem> @@ -63,14 +75,67 @@ This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] </para> - </listitem> + </listitem> </itemizedlist> </sect2> <sect2 id="relnotes_features"> <title>New Features</title> <itemizedlist> <listitem> - <para>None</para> + <para> + New quotas have been added to limit the queries that are + sent by recursive resolvers to authoritative servers + experiencing denial-of-service attacks. When configured, + these options can both reduce the harm done to authoritative + servers and also avoid the resource exhaustion that can be + experienced by recursives when they are being used as a + vehicle for such an attack. + </para> + <para> + NOTE: These options are not available by default; use + <command>configure --enable-fetchlimit</command> to include + them in the build. + </para> + <itemizedlist> + <listitem> + <para> + <option>fetches-per-server</option> limits the number of + simultaneous queries that can be sent to any single + authoritative server. The configured value is a starting + point; it is automatically adjusted downward if the server is + partially or completely non-responsive. The algorithm used to + adjust the quota can be configured via the + <option>fetch-quota-params</option> option. + </para> + </listitem> + <listitem> + <para> + <option>fetches-per-zone</option> limits the number of + simultaneous queries that can be sent for names within a + single domain. (Note: Unlike "fetches-per-server", this + value is not self-tuning.) + </para> + </listitem> + </itemizedlist> + <para> + Statistics counters have also been added to track the number + of queries affected by these quotas. + </para> + </listitem> + <listitem> + <para> + An <command>--enable-querytrace</command> configure switch is + now available to enable very verbose query tracelogging. This + option can only be set at compile time. This option has a + negative performance impact and should be used only for + debugging. + </para> + </listitem> + <listitem> + <para> + EDNS COOKIE options content is now displayed as + "COOKIE: <hexvalue>". + </para> </listitem> </itemizedlist> </sect2> @@ -78,7 +143,34 @@ <title>Feature Changes</title> <itemizedlist> <listitem> - <para>None</para> + <para> + Large inline-signing changes should be less disruptive. + Signature generation is now done incrementally; the number + of signatures to be generated in each quantum is controlled + by "sig-signing-signatures <replaceable>number</replaceable>;". + [RT #37927] + </para> + </listitem> + <listitem> + <para> + Retrieving the local port range from net.ipv4.ip_local_port_range + on Linux is now supported. + </para> + </listitem> + <listitem> + <para> + Active Directory names of the form gc._msdcs.<forest> are + now accepted as valid hostnames when using the + <option>check-names</option> option. <forest> is still + restricted to letters, digits and hyphens. + </para> + </listitem> + <listitem> + <para> + Names containing rich text are now accepted as valid + hostnames in PTR records in DNS-SD reverse lookup zones, + as specified in RFC 6763. [RT #37889] + </para> </listitem> </itemizedlist> </sect2> @@ -86,7 +178,49 @@ <title>Bug Fixes</title> <itemizedlist> <listitem> - <para>None</para> + <para> + Asynchronous zone loads were not handled correctly when the + zone load was already in progress; this could trigger a crash + in zt.c. [RT #37573] + </para> + </listitem> + <listitem> + <para> + A race during shutdown or reconfiguration could + cause an assertion failure in mem.c. [RT #38979] + </para> + </listitem> + <listitem> + <para> + Some answer formatting options didn't work correctly with + <command>dig +short</command>. [RT #39291] + </para> + </listitem> + <listitem> + <para> + Malformed records of some types, including NSAP and UNSPEC, + could trigger assertion failures when loading text zone files. + [RT #40274] [RT #40285] + </para> + </listitem> + <listitem> + <para> + Fixed a possible crash in ratelimiter.c caused by NOTIFY + messages being removed from the wrong rate limiter queue. + [RT #40350] + </para> + </listitem> + <listitem> + <para> + The default <option>rrset-order</option> of <literal>random</literal> + was inconsistently applied. [RT #40456] + </para> + </listitem> + <listitem> + <para> + BADVERS responses from broken authoritative name servers were + not handled correctly. [RT #40427] + </para> </listitem> </itemizedlist> </sect2> |