1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.19 13---------------------- 14 15Security Fixes 16~~~~~~~~~~~~~~ 17 18- Previously, sending a specially crafted message over the control 19 channel could cause the packet-parsing code to run out of available 20 stack memory, causing :iscman:`named` to terminate unexpectedly. 21 This has been fixed. :cve:`2023-3341` 22 23 ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for 24 bringing this vulnerability to our attention. :gl:`#4152` 25 26- A flaw in the networking code handling DNS-over-TLS queries could 27 cause :iscman:`named` to terminate unexpectedly due to an assertion 28 failure under significant DNS-over-TLS query load. This has been 29 fixed. :cve:`2023-4236` 30 31 ISC would like to thank Robert Story from USC/ISI Root Server 32 Operations for bringing this vulnerability to our attention. 33 :gl:`#4242` 34 35Removed Features 36~~~~~~~~~~~~~~~~ 37 38- The :any:`dnssec-must-be-secure` option has been deprecated and will 39 be removed in a future release. :gl:`#4263` 40 41Feature Changes 42~~~~~~~~~~~~~~~ 43 44- If the ``server`` command is specified, :iscman:`nsupdate` now honors 45 the :option:`nsupdate -v` option for SOA queries by sending both the 46 UPDATE request and the initial query over TCP. :gl:`#1181` 47 48Bug Fixes 49~~~~~~~~~ 50 51- The value of the If-Modified-Since header in the statistics channel 52 was not being correctly validated for its length, potentially allowing 53 an authorized user to trigger a buffer overflow. Ensuring the 54 statistics channel is configured correctly to grant access exclusively 55 to authorized users is essential (see the :any:`statistics-channels` 56 block definition and usage section). :gl:`#4124` 57 58 This issue was reported independently by Eric Sesterhenn of X41 D-Sec 59 GmbH and Cameron Whitehead. 60 61- The Content-Length header in the statistics channel was lacking proper 62 bounds checking. A negative or excessively large value could 63 potentially trigger an integer overflow and result in an assertion 64 failure. :gl:`#4125` 65 66 This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. 67 68- Several memory leaks caused by not clearing the OpenSSL error stack 69 were fixed. :gl:`#4159` 70 71 This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. 72 73- The introduction of ``krb5-subdomain-self-rhs`` and 74 ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused 75 :iscman:`named` to return SERVFAIL responses to deletion requests for 76 non-existent PTR and SRV records. This has been fixed. :gl:`#4280` 77 78- The :any:`stale-refresh-time` feature was mistakenly disabled when the 79 server cache was flushed by :option:`rndc flush`. This has been fixed. 80 :gl:`#4278` 81 82- BIND's memory consumption has been improved by implementing dedicated 83 jemalloc memory arenas for sending buffers. This optimization ensures 84 that memory usage is more efficient and better manages the return of 85 memory pages to the operating system. :gl:`#4038` 86 87- Previously, partial writes in the TLS DNS code were not accounted for 88 correctly, which could have led to DNS message corruption. This has 89 been fixed. :gl:`#4255` 90 91Known Issues 92~~~~~~~~~~~~ 93 94- There are no new known issues with this release. See :ref:`above 95 <relnotes_known_issues>` for a list of all known issues affecting this 96 BIND 9 branch. 97