1 <?xml version="1.0" encoding="utf-8"?>
3 - Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
19 <xi:include href="noteversion.xml"/>
20 <sect2 id="relnotes_intro">
21 <title>Introduction</title>
23 This document summarizes changes since BIND 9.10.2:
26 BIND 9.10.2-P4 addresses security issues described in
27 CVE-2015-5722 and CVE-2015-5986.
30 BIND 9.10.2-P3 addresses a security issue described in
34 BIND 9.10.2-P2 addresses a security issue described in
38 BIND 9.10.2-P1 addressed several bugs that have been identified
39 in the BIND 9.10 implementation of response-policy zones (RPZ).
40 The bugs are in code which optimizes searching through multiple
41 policy zones. In some cases, they can cause RPZ to behave
42 inefficiently by searching for query matches in more policy
43 zones than are strictly necessary, or to behave unpredictably
44 by failing to search a policy zone that should have been
45 searched. In the worst case, they can lead to assertion
46 failures, terminating <command>named</command>.
49 <sect2 id="relnotes_download">
50 <title>Download</title>
52 The latest versions of BIND 9 software can always be found at
53 <ulink url="http://www.isc.org/downloads/"
54 >http://www.isc.org/downloads/</ulink>.
55 There you will find additional information about each release,
56 source code, and pre-compiled versions for Microsoft Windows
60 <sect2 id="relnotes_security">
61 <title>Security Fixes</title>
65 An incorrect boundary check in the OPENPGPKEY rdatatype
66 could trigger an assertion failure. This flaw is disclosed
67 in CVE-2015-5986. [RT #40286]
72 A buffer accounting error could trigger an assertion failure
73 when parsing certain malformed DNSSEC keys.
76 This flaw was discovered by Hanno B쎶eck of the Fuzzing
77 Project, and is disclosed in CVE-2015-5722. [RT #40212]
82 A specially crafted query could trigger an assertion failure
86 This flaw was discovered by Jonathan Foote, and is disclosed
87 in CVE-2015-5477. [RT #39795]
92 On servers configured to perform DNSSEC validation, an
93 assertion failure could be triggered on answers from
94 a specially configured server.
97 This flaw was discovered by Breno Silveira Soares, and is
98 disclosed in CVE-2015-4620. [RT #39795]
103 <sect2 id="relnotes_features">
104 <title>New Features</title>
111 <sect2 id="relnotes_changes">
112 <title>Feature Changes</title>
119 <sect2 id="relnotes_bugs">
120 <title>Bug Fixes</title>
124 Asynchronous zone loads were not handled correctly when the
125 zone load was already in progress; this could trigger a crash
131 Several bugs have been fixed in the RPZ implementation:
136 Policy zones that did not specifically require recursion
137 could be treated as if they did; consequently, setting
138 <command>qname-wait-recurse no;</command> was
139 sometimes ineffective. This has been corrected.
140 In most configurations, behavioral changes due to this
141 fix will not be noticeable. [RT #39229]
146 The server could crash if policy zones were updated (e.g.
147 via <command>rndc reload</command> or an incoming zone
148 transfer) while RPZ processing was still ongoing for an
149 active query. [RT #39415]
154 On servers with one or more policy zones configured as
155 slaves, if a policy zone updated during regular operation
156 (rather than at startup) using a full zone reload, such as
157 via AXFR, a bug could allow the RPZ summary data to fall out
158 of sync, potentially leading to an assertion failure in
159 rpz.c when further incremental updates were made to the
160 zone, such as via IXFR. [RT #39567]
165 The server could match a shorter prefix than what was
166 available in CLIENT-IP policy triggers, and so, an
167 unexpected action could be taken. This has been
168 corrected. [RT #39481]
173 The server could crash if a reload of an RPZ zone was
174 initiated while another reload of the same zone was
175 already in progress. [RT #39649]
182 <sect2 id="end_of_life">
183 <title>End of Life</title>
185 The end of life for BIND 9.10 is yet to be determined but
186 will not be before BIND 9.12.0 has been released for 6 months.
187 <ulink url="https://www.isc.org/downloads/software-support-policy/"
188 >https://www.isc.org/downloads/software-support-policy/</ulink>
191 <sect2 id="relnotes_thanks">
192 <title>Thank You</title>
194 Thank you to everyone who assisted us in making this release possible.
195 If you would like to contribute to ISC to assist us in continuing to
196 make quality open source software, please visit our donations page at
197 <ulink url="http://www.isc.org/donate/"
198 >http://www.isc.org/donate/</ulink>.