1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.24 13---------------------- 14 15Security Fixes 16~~~~~~~~~~~~~~ 17 18- Validating DNS messages containing a lot of DNSSEC signatures could 19 cause excessive CPU load, leading to a denial-of-service condition. 20 This has been fixed. :cve:`2023-50387` 21 22 ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, 23 and Michael Waidner from the German National Research Center for 24 Applied Cybersecurity ATHENE for bringing this vulnerability to our 25 attention. :gl:`#4424` 26 27- Preparing an NSEC3 closest encloser proof could cause excessive CPU 28 load, leading to a denial-of-service condition. This has been fixed. 29 :cve:`2023-50868` :gl:`#4459` 30 31- Parsing DNS messages with many different names could cause excessive 32 CPU load. This has been fixed. :cve:`2023-4408` 33 34 ISC would like to thank Shoham Danino from Reichman University, Anat 35 Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv 36 University, and Yuval Shavitt from Tel-Aviv University for bringing 37 this vulnerability to our attention. :gl:`#4234` 38 39- Specific queries could cause :iscman:`named` to crash with an 40 assertion failure when :any:`nxdomain-redirect` was enabled. This has 41 been fixed. :cve:`2023-5517` :gl:`#4281` 42 43- A bad interaction between DNS64 and serve-stale could cause 44 :iscman:`named` to crash with an assertion failure, when both of these 45 features were enabled. This has been fixed. :cve:`2023-5679` 46 :gl:`#4334` 47 48- Under certain circumstances, the DNS-over-TLS client code incorrectly 49 attempted to process more than one DNS message at a time, which could 50 cause :iscman:`named` to crash with an assertion failure. This has 51 been fixed. :gl:`#4487` 52 53Bug Fixes 54~~~~~~~~~ 55 56- The counters exported via the statistics channel were changed back to 57 64-bit signed values; they were being inadvertently truncated to 58 unsigned 32-bit values since BIND 9.15.0. :gl:`#4467` 59 60Known Issues 61~~~~~~~~~~~~ 62 63- There are no new known issues with this release. See :ref:`above 64 <relnotes_known_issues>` for a list of all known issues affecting this 65 BIND 9 branch. 66