From abed39ec0deeed276bd3075dadb92ae51ed2df85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 16 Jan 2024 11:46:29 +0100 Subject: [PATCH] Add CHANGES and release note for [GL #4424] --- CHANGES | 4 ++++ doc/notes/notes-current.rst | 31 +++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 doc/notes/notes-current.rst diff --git a/CHANGES b/CHANGES index 095d027bb5..5a59e438b9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6322. [security] Specific DNS answers could cause a denial-of-service + condition due to DNS validation taking a long time. + (CVE-2023-50387) [GL #4424] + 6321. [security] Change 6315 inadvertently introduced regressions that could cause named to crash. [GL #4234] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..0a84c2cadc --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,31 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.19.21 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Validating DNS messages containing a lot of DNSSEC signatures could + cause excessive CPU load, leading to a denial-of-service condition. + This has been fixed. :cve:`2023-50387` + + ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, + and Michael Waidner from the German National Research Center for + Applied Cybersecurity ATHENE. :gl:`#4424` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch.