1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.18.19
13----------------------
14
15Security Fixes
16~~~~~~~~~~~~~~
17
18- Previously, sending a specially crafted message over the control
19  channel could cause the packet-parsing code to run out of available
20  stack memory, causing :iscman:`named` to terminate unexpectedly.
21  This has been fixed. :cve:`2023-3341`
22
23  ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
24  bringing this vulnerability to our attention. :gl:`#4152`
25
26- A flaw in the networking code handling DNS-over-TLS queries could
27  cause :iscman:`named` to terminate unexpectedly due to an assertion
28  failure under significant DNS-over-TLS query load. This has been
29  fixed. :cve:`2023-4236`
30
31  ISC would like to thank Robert Story from USC/ISI Root Server
32  Operations for bringing this vulnerability to our attention.
33  :gl:`#4242`
34
35Removed Features
36~~~~~~~~~~~~~~~~
37
38- The :any:`dnssec-must-be-secure` option has been deprecated and will
39  be removed in a future release. :gl:`#4263`
40
41Feature Changes
42~~~~~~~~~~~~~~~
43
44- If the ``server`` command is specified, :iscman:`nsupdate` now honors
45  the :option:`nsupdate -v` option for SOA queries by sending both the
46  UPDATE request and the initial query over TCP. :gl:`#1181`
47
48Bug Fixes
49~~~~~~~~~
50
51- The value of the If-Modified-Since header in the statistics channel
52  was not being correctly validated for its length, potentially allowing
53  an authorized user to trigger a buffer overflow. Ensuring the
54  statistics channel is configured correctly to grant access exclusively
55  to authorized users is essential (see the :any:`statistics-channels`
56  block definition and usage section). :gl:`#4124`
57
58  This issue was reported independently by Eric Sesterhenn of X41 D-Sec
59  GmbH and Cameron Whitehead.
60
61- The Content-Length header in the statistics channel was lacking proper
62  bounds checking. A negative or excessively large value could
63  potentially trigger an integer overflow and result in an assertion
64  failure. :gl:`#4125`
65
66  This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
67
68- Several memory leaks caused by not clearing the OpenSSL error stack
69  were fixed. :gl:`#4159`
70
71  This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
72
73- The introduction of ``krb5-subdomain-self-rhs`` and
74  ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
75  :iscman:`named` to return SERVFAIL responses to deletion requests for
76  non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
77
78- The :any:`stale-refresh-time` feature was mistakenly disabled when the
79  server cache was flushed by :option:`rndc flush`. This has been fixed.
80  :gl:`#4278`
81
82- BIND's memory consumption has been improved by implementing dedicated
83  jemalloc memory arenas for sending buffers. This optimization ensures
84  that memory usage is more efficient and better manages the return of
85  memory pages to the operating system. :gl:`#4038`
86
87- Previously, partial writes in the TLS DNS code were not accounted for
88  correctly, which could have led to DNS message corruption. This has
89  been fixed. :gl:`#4255`
90
91Known Issues
92~~~~~~~~~~~~
93
94- There are no new known issues with this release. See :ref:`above
95  <relnotes_known_issues>` for a list of all known issues affecting this
96  BIND 9 branch.
97