From 0b22f09806edac19e97d9ef61567eae76ab7c89d Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Thu, 11 Jun 2020 15:58:55 +0100 Subject: [PATCH] Document 1.5.2 changes and set version number Signed-off-by: Ian Jackson --- Makefile.in | 2 +- NEWS | 4 ++++ changelog | 44 ++++++++++++++++++++++++++++++++++++++++---- client/client.h | 2 +- 4 files changed, 46 insertions(+), 6 deletions(-) diff --git a/Makefile.in b/Makefile.in index 3c9a03c..0889ad9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -24,7 +24,7 @@ include ./common.make # Remember to change ADNS_VERSION_STRING in client/client.h too, and # possibly library soname (MAJOR and MINOR in common.make.in). -DISTVERSION= 1.5.1 +DISTVERSION= 1.5.2 srcdir= @srcdir@ VPATH= @srcdir@ diff --git a/NEWS b/NEWS index 4cb9630..18130c2 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +Changes in adns 1.5.2, since adns 1.5.1, are: + + Important security fixes, and other bugfixes. See changelog. + Changes in adns 1.5.1, since adns 1.5.0, are: Bugfixes. See changelog. diff --git a/changelog b/changelog index e47c073..a0cfb25 100644 --- a/changelog +++ b/changelog @@ -1,8 +1,44 @@ -adns (1.5.2~) UPSTREAM; urgency=medium +adns (1.5.2) UPSTREAM; urgency=medium + + * Important security fixes: + CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9109: + Vulnerable applications: all adns callers. + Exploitable by: the local recursive resolver. + Likely worst case: Remote code execution. + CVE-2017-9106: + Vulnerable applications: those that make SOA queries. + Exploitable by: upstream DNS data sources. + Likely worst case: DoS (crash of the adns-using application) + CVE-2017-9107: + Vulnerable applications: those that use adns_qf_quoteok_query. + Exploitable by: sources of query domain names. + Likely worst case: DoS (crash of the adns-using application) + CVE-2017-9108: + Vulnerable applications: adnshost. + Exploitable by: code responsible for framing the input. + Likely worst case: DoS (adnshost crashes at EOF). + All found by AFL 2.35b. Thanks to the University of Cambridge + Department of Applied Mathematics for computing facilities. - * - - -- + Bugfixes: + * Do not include spurious external symbol `data' (fixes GCC10 build). + * If server sends TC flag over TCP, bail rather than retrying. + * Do not crash on certain strange resolv.conf contents. + * Fix various crashes if a global system failure occurs, or + adns_finish is called with outstanding queries. + * Correct a parsing error message very slightly. + * DNS packet parsing: Slight fix when packet is truncated. + * Fix ABI compatibility in string conversion of certain RR types. + * internal.h: Use `unsigned' for nextid; fixes theoretical C UB. + + Portability fix: + * common.make.in: add -Wno-unused-value. Fixes build with GCC9. + + Internal changes: + * Additional comments describing some internal code restrions. + * Robustness assert() against malfunctioning write() system call. + + -- Ian Jackson Thu, 11 Jun 2020 15:48:12 +0100 adns (1.5.1) UPSTREAM; urgency=medium diff --git a/client/client.h b/client/client.h index 535c04c..5d9c271 100644 --- a/client/client.h +++ b/client/client.h @@ -27,7 +27,7 @@ #ifndef CLIENT_H_INCLUDED #define CLIENT_H_INCLUDED -#define ADNS_VERSION_STRING "1.5.1" +#define ADNS_VERSION_STRING "1.5.2" #define COPYRIGHT_MESSAGE \ "Copyright (C) 1997-2000,2003,2006,2014-2016,2020 Ian Jackson\n" \ -- 2.30.2