4.1-ESV-R13b1 is now available
sar at isc.org
Wed Mar 9 22:35:45 UTC 2016
ISC DHCP 4.1-ESV-R13b1 is now available for download.
This is the release of ISC DHCP 4.1-ESV-R13b1, a maintenance
release which contains a number of bug fixes and two fixes
for previously released security issues.
Field testing is an important part of our quality process.
Please report bugs to dhcp-bugs at isc.org.
A list of the changes in this release has been appended to the end
of this message. For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:
Knowledge base articles about various features can be found starting from:
Webinars can be found here:
This release, and its OpenPGP-signatures are available now from:
ISC's Release Signing Key can be obtained at:
The following are changes that may be more interesting and require
a bit more explanation.
We have changed the default set-up for choosing a program name for
use in logging. Previously we used a hardcoded name for the client,
relay and server. We have changed to using the base name of the program.
This is intended to help differentiate syslog entries when using both v4
& v6 clients or servers. We don't expect anybody to need the old style
but if you do it is available via modifying includes/site.h
and defining OLD_LOG_NAME. [ISC-Bugs #38692]
We have added a new parameter, authoring-byte-order, to the lease file.
This value is used to allow a lease file written in one byte order
to be read on a machine with a different byte order. If you have
a program to process a lease file you may need to update it to
handle this string. [ISC-Bugs #38396]
The IETF determined that there were problems with the processing
required for IA_NAs (RFC3315) and IA_PDs (RFC3633). The issues
are described in RFC7550. As part of updating the client code to
the new RFC we also re-arranged how it chooses between different
servers by changing the weights used when socring an advertise.
The new weighting will prefer more bindings (IAs) over more addresses
within a binding. As most users will get a single address in
as single binding and only get an advertise from a single server
there won't be any difference. If you do need the old weighting
for some reason you can edit includes/site.h and define
USE_ORIGINAL_CLIENT_LEASE_WEIGHTS. [ISC-Bugs #40190]
We have modified the error reporting in the client, relay and server
to better indicate which command line option caused an error. As
we don't exepct this to be an issue we have made it the default.
If you you need the old error messages you can edit includes/site.h
and undefine PRINT_SPECIFIC_CL_ERRORS. [ISC-Bugs #40321]
As mentioned in the recent security annoucement we found an issue
with our handling of exccessive numbers of connections. While we
beleive the best idea is for people to properly secure their DHCP
severs (disable OMAPI if not in use, use firewalls to limit access
to OMAPI and failove ports and use process limits to restrict the
resources the servers can use) we have added code to limit the number
of connections a server will allow. We have chosen 200 as the
default number which should be large enough for most configurations.
You may adjust this value by editing includes/site.h and changing
the value of MAX_FD_VALUE. A value of 0 means unlimited. We will
be evaluating the connection code in more detail in the future and
may change how this works. [ISC-Bugs #41845]
The following is the list of all changes for this release.
Changes since 4.1-ESV-R12
- Corrected a static analyzer warning in common/execute.c
- ISC DHCP now follows the common convention to use the base name a
program is invoked with (aka argv, vs. a builtin name) for
logs. This should help differentiate syslog entires for DHCPv4 and
DHCPv6 servers. You can define OLD_LOG_NAME in includes/site.h to
keep the previous behavior.
- The linux packet filter code now correctly treats only the least significant
12 bits in an inbound packet's TCI value as the VLAN id (per IEEE 802.1Q).
Prior to this it was using the entire 16 bit value as the VLAN id and
incorrectly discarding packets. Thanks to Jiri Popelka at Red Hat for
reporting this issue and supplying its patch.
- Fixed several static analysis issues such as potential null
references, unchecked strdup returns. Thanks to Bill Parker (wp02855 at
gmail dot com) who identified these issues and supplied patches to
- Corrected compilation errors that prohibited building the server's
ATF unit tests when failover is disabled.
- Added dhcpv6 and delayed-ack to settings listed in the "Features:"
section of the configure script output. Additionally, all of the
features reported on will now always show either a "yes" or "no"
value. Prior to this features left to their default setting would
not show a value.
- Added a parameter, authoring-byte-order, to the lease file. This value
is automatically added to the top of new lease files by the server and
indicates the internal byte order (big endian or little endian) of the
server. This permits lease files generated on a server with one form of
byte order to be used on a server with the opposite form.
- Fix a small memory leak in the DHCPv6 version of the client code.
This is unlikely to cause significant issues in actual use.
- Corrected a few minor memory leaks in omapi's dereferencing of
host objects. Thanks to Jiri Popelka at Red Hat for reporting
the issue and supplying the patches.
- Update the client code to better support getting IA_NAs and IA_PDs
in the same packet, see RFC7550 for some discussion.
! Update the bounds checking when receiving a packet.
Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
- When handling an incorrect command line for dhcpd, dhclient or dhcrelay
print out a specific error message about the first error in addition
to the usage string. This may be disabled by editing includes/site.h.
- The configure script will now exit with an error message if it cannot find
pkg-config (needed to locate ATF used for building unit tests). Prior to
this the script would exit indicating success causing subsequent attempts
to build the software to fail.
- Properly terminate strings before passing them to regex and fix
a boundary error when creating certain new data strings.
Thanks to Andrey Jr. Melnikov for the bug report.
- Option expressions, such as prepend and append, are now supported when
running dhclient for IPv6. Prior to this such statements in the
client configuration file would be parsed but have no affect. Thanks
to Jiri Popelka at Red Hat for reporting the issue.
- A failover primary server will now accept a binding status update from the
secondary which transitions a lease from ACTIVE to ABANDONED. This accounts
for instances in which a client declines a lease and only the secondary
server receives it. Prior to this the primary server would reject such an
update as an "invalid state transition".
- Properly allocate memory for a bpf filter.
Thanks to Bill Parker (wp02855 at gmail dot com) who identified this issue.
- The DHCPv6 server now handles long valid and preferred lease times better.
Values that would cause the internal end time of the lease to wrap are
modified to work as infinite.
- Correct outputting of long lines in the lease file when writing
a lease that includes long strings in an execute statement.
- The server will now correctly treat a lease as reserved when the client
requests an infinite lease time (i.e. OxFFFFFFFF) and "infinite-is-reserved"
is enabled. Prior to this the server would halt. In addition, corrections
were made to the server to allow a lease's flags field to be set via omapi.
Prior to this, the server, depending on the host architecture, would
incorrectly parse the new flags value from the omapi message.
- Add a new global DHCPv6 option, dhcpv6-set-tee-times, which when enabled
instructs the server to calculate T1 and T2 as recommended in RFC 3315,
- Corrected minor Coverity issues.
- Corrected interface name formation when using DLPI under Solaris 11. As of
Solaris 11, ethernet device files are located in "/dev/net". The configure
script has been modified to detect this situation and adjust the directory
used accordingly. Thanks to Jarkko Torppa for reporting this issue and
submitting a patch.
- Add a dereference call when handling an error condition while
decoding a packet and clean up some memory on error conditions.
! Add an option in site.h to limit the number of failover and control
connections the server will accept. By default this is 200.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dhcp-announce