1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.18.24
13----------------------
14
15Security Fixes
16~~~~~~~~~~~~~~
17
18- Validating DNS messages containing a lot of DNSSEC signatures could
19  cause excessive CPU load, leading to a denial-of-service condition.
20  This has been fixed. :cve:`2023-50387`
21
22  ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
23  and Michael Waidner from the German National Research Center for
24  Applied Cybersecurity ATHENE for bringing this vulnerability to our
25  attention. :gl:`#4424`
26
27- Preparing an NSEC3 closest encloser proof could cause excessive CPU
28  load, leading to a denial-of-service condition. This has been fixed.
29  :cve:`2023-50868` :gl:`#4459`
30
31- Parsing DNS messages with many different names could cause excessive
32  CPU load. This has been fixed. :cve:`2023-4408`
33
34  ISC would like to thank Shoham Danino from Reichman University, Anat
35  Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
36  University, and Yuval Shavitt from Tel-Aviv University for bringing
37  this vulnerability to our attention. :gl:`#4234`
38
39- Specific queries could cause :iscman:`named` to crash with an
40  assertion failure when :any:`nxdomain-redirect` was enabled. This has
41  been fixed. :cve:`2023-5517` :gl:`#4281`
42
43- A bad interaction between DNS64 and serve-stale could cause
44  :iscman:`named` to crash with an assertion failure, when both of these
45  features were enabled. This has been fixed. :cve:`2023-5679`
46  :gl:`#4334`
47
48- Under certain circumstances, the DNS-over-TLS client code incorrectly
49  attempted to process more than one DNS message at a time, which could
50  cause :iscman:`named` to crash with an assertion failure. This has
51  been fixed. :gl:`#4487`
52
53Bug Fixes
54~~~~~~~~~
55
56- The counters exported via the statistics channel were changed back to
57  64-bit signed values; they were being inadvertently truncated to
58  unsigned 32-bit values since BIND 9.15.0. :gl:`#4467`
59
60Known Issues
61~~~~~~~~~~~~
62
63- There are no new known issues with this release. See :ref:`above
64  <relnotes_known_issues>` for a list of all known issues affecting this
65  BIND 9 branch.
66