4.3.4b1 is now available

Shawn Routhier sar at isc.org
Wed Mar 9 22:35:43 UTC 2016

ISC DHCP 4.3.4b1 is now available for download.

This is the release of ISC DHCP 4.3.4b1, a maintenance
release which contains a number of bug fixes and two
fixes for previously released security issues.

Field testing is an important part of our quality process.
Please report bugs to dhcp-bugs at isc.org.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:


Knowledge base articles about various features can be found starting from:


Webinars can be found here:


This release, and its OpenPGP-signatures are available now from:



ISC's Release Signing Key can be obtained at:


The following are changes that may be more interesting and require
a bit more explanation.

We have changed the default set-up for choosing a program name for
use in logging.  Previously we used a hardcoded name for the client,
relay and server.  We have changed to using the base name of the program.
This is intended to help differentiate syslog entries when using both v4
& v6 clients or servers.  We don't expect anybody to need the old style
but if you do it is available via modifying includes/site.h 
and defining OLD_LOG_NAME.  [ISC-Bugs #38692]

We have added a new parameter, authoring-byte-order, to the lease file.
This value is used to allow a lease file written in one byte order
to be read on a machine with a different byte order.  If you have
a program to process a lease file you may need to update it to
handle this string.  [ISC-Bugs #38396]

We have modified the configuration and Makefiles in order to make
it easier to cross compile ISC DHCP with Bind.  See the release
note entries for [ISC-Bugs #39210], [ISC-Bugs #38836], [ISC-Bugs #41536]
and [ISC-Bugs #33835] for more information.

The IETF determined that there were problems with the processing
required for IA_NAs (RFC3315) and IA_PDs (RFC3633).  The issues
are described in RFC7550.  As part of updating the client code to
the new RFC we also re-arranged how it chooses between different
servers by changing the weights used when socring an advertise.
The new weighting will prefer more bindings (IAs) over more addresses
within a binding.  As most users will get a single address in
as single binding and only get an advertise from a single server
there won't be any difference.  If you do need the old weighting
for some reason you can edit includes/site.h and define

We have modified the error reporting in the client, relay and server
to better indicate which command line option caused an error.  As
we don't exepct this to be an issue we have made it the default.
If you you need the old error messages you can edit includes/site.h
and undefine PRINT_SPECIFIC_CL_ERRORS. [ISC-Bugs #40321]

We have added support for DHCPv4 over DHCPv6 (RFC 7341).  This is a
transition strategy that allows a set of co-operating programs to
encapsualte a DHCPv4 request into a DHCPv6 request and transmit
it over an IPv6 network, thus allowing a "v4 island" to get DHCP
service.  It is still somewhat experimental and by default most of
the changes are not included.  In order to enable it you will need
to add the option "--enable-dhcpv4o6" to your configuration command
before compiling the code.  You would also need to use the 
"-4o6 <port>" argument on the command line.  More information can be
found in the release at doc/DHCPv4-over-DHCPv6 or on our web site at
[ISC-Bugs #35711]

We have added a new parameter, "lease-id-format" for both dhcpd
and dhclient.  This parameter controls the format in which some
values are written to lease files.  This is to allow values such
as DUIDs to be written in hex which is more natural than octal.
In order to avoid disturbing current users the default is to output
the information as we have done before.  [ISC-Bugs #26378]

As mentioned in the recent security annoucement we found an issue
with our handling of exccessive numbers of connections.  While we
beleive the best idea is for people to properly secure their DHCP
severs (disable OMAPI if not in use, use firewalls to limit access
to OMAPI and failove ports and use process limits to restrict the
resources the servers can use) we have added code to limit the number
of connections a server will allow.  We have chosen 200 as the
default number which should be large enough for most configurations.
You may adjust this value by editing includes/site.h and changing
the value of MAX_FD_VALUE.  A value of 0 means unlimited.  We will
be evaluating the connection code in more detail in the future and
may change how this works.  [ISC-Bugs #41845]

The following is the list of all changes for this release.

                        Changes since 4.3.3

- Corrected a static analyzer warning in common/execute.c
  [ISC-Bugs #40374]

- ISC DHCP now follows the common convention to use the base name a
  program is invoked with (aka argv[0], vs. a builtin name) for
  logs. This should help differentiate syslog entires for DHCPv4 and
  DHCPv6 servers. You can define OLD_LOG_NAME in includes/site.h to
  keep the previous behavior.
  [ISC-Bugs #38692]

- The linux packet filter code now correctly treats only the least significant
  12 bits in an inbound packet's TCI value as the VLAN id (per IEEE 802.1Q).
  Prior to this it was using the entire 16 bit value as the VLAN id and
  incorrectly discarding packets.  Thanks to Jiri Popelka at Red Hat for
  reporting this issue and supplying its patch.
  [ISC-Bugs #40591]

- Fixed several static analysis issues such as potential null
  references, unchecked strdup returns.  Thanks to Bill Parker (wp02855 at
  gmail dot com) who identified these issues and supplied patches to
  address them.
  [ISC-Bugs #40754]
  [ISC-Bugs #40823]

- Corrected compilation errors that prohibited building the server
  and its ATF unit tests when failover is disabled.
  [ISC-Bugs #40372]

- Added the lease address to the end of the debug level log message
  emitted when an existing lease is renewed within the dhcp-cache-threshold.
  Thanks to Nathan Neulinger at Missouri S&T for suggesting the change.
  [ISC-Bugs #40598]

- Added dhcpv6 and delayed-ack to settings listed in the "Features:"
  section of the configure script output.  Additionally, all of the
  features reported on will now always show either a "yes" or "no"
  value.  Prior to this features left to their default setting would
  not show a value.
  [ISC-Bugs #40381]

- Added a parameter, authoring-byte-order, to the lease file. This value
  is automatically added to the top of new lease files by the server and
  indicates the internal byte order (big endian or little endian) of the
  server.  This permits lease files generated on a server with one form of
  byte order to be used on a server with the opposite form. Our thanks to
  Timothe Litt for calling this to our attention and for the suggestions
  he provided.
  [ISC-Bugs #38396]

- Fixed a small memory leak in the DHCPv6 version of the client code.
  This is unlikely to cause significant issues in actual use.
  [ISC-Bugs #40990]

- Corrected a few minor memory leaks in omapi's dereferencing of
  host objects. Thanks to Jiri Popelka at Red Hat for reporting
  the issue and supplying the patches.
  [ISC-Bugs #33990]
  [ISC-Bugs #41325]

- Cleaned up some of the Make infrastructure to make --with-libbind
  work better.  Though it still only works with an absolute path.
  [ISC-Bugs #39210]

- Made the embedded bind libraries able to be cross compiled
  (please refer to the bind9 documentation to learn how to cross
   compile DHCP and its bind library dependency).
  [ISC-Bugs #38836]

- Update the client code to better support getting IA_NAs and IA_PDs
  in the same packet, see RFC7550 for some discussion.
  [ISC-Bugs #40190]

! Update the bounds checking when receiving a packet.
  Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
  [ISC-Bugs #41267]
  CVE: CVE-2015-8605

- When handling an incorrect command line for dhcpd, dhclient or dhcrelay
  print out a specific error message about the first error in addition
  to the usage string.  This may be disabled by editing includes/site.h.
  [ISC-Bugs #40321]
  [ISC-Bugs #41454]

- The configure script will now exit with an error message if it cannot find
  a GNU-style make tool (needed when building BIND libraries) or pkg-config
  (needed to locate ATF used for building unit tests). Prior to this the
  script would exit indicating success causing subsequent attempts to build
  the software to fail.
  [ISC-Bugs #40371]

- Properly terminate strings before passing them to regex and fix
  a boundary error when creating certain new data strings.
  Thanks to Andrey Jr. Melnikov for the bug report.
  [ISC-Bugs #41217]

- Option expressions, such as prepend and append, are now supported when
  running dhclient for IPv6.  Prior to this such statements in the
  client configuration file would be parsed but have no affect.  Thanks
  to Jiri Popelka at Red Hat for reporting the issue.
  [ISC-Bugs #39952]

- A failover primary server will now accept a binding status update from the
  secondary which transitions a lease from ACTIVE to ABANDONED. This accounts
  for instances in which a client declines a lease and only the secondary
  server receives it.  Prior to this the primary server would reject such an
  update as an "invalid state transition".
  [ISC_BUGS #25189]

- Properly allocate memory for a bpf filter.
  Thanks to Bill Parker (wp02855 at gmail dot com) who identified this issue.
  [ISC-Bugs #41485]

- Updated contrib/dhcp-lease-list.pl to handle garbage in the oui file better
  and to print out the hostnames a bit better.
  Thanks to Antoine Beaupré from Debian for the suggested patch.
  [ISC-Bugs #41288]

- The DHCPv6 server now handles long valid and preferred lease times better.
  Values that would cause the internal end time of the lease to wrap are
  modified to work as infinite.
  [ISC-Bugs #40773]

- Updated support for cross compiling by allowing the library archiver
  to be set at configure time via the environment variable 'AR'.
  [ISC-Bugs #41536]

- The server will now match DHCPv6 relayed clients to host declarations
  which include the "hardware" statement, if the relay connected to the
  client supplies the client's hardware address via client-linklayer-address
  option as per RFC 6939.
  [ISC-Bugs #40334]

- Allow a filename to be specified instead of /dev/random during
  configuration.  This is passed to the BIND configuration to allow
  for cross compilation.
  [ISC-Bugs #33835]

- Add more option definitions.
  [ISC-Bugs #40562]

- Correct outputting of long lines in the lease file when writing
  a lease that includes long strings in an execute statement.
  [ISC-Bugs #40994]

- The server will now correctly treat a lease as reserved when the client
  requests an infinite lease time (i.e. OxFFFFFFFF) and "infinite-is-reserved"
  is enabled.  Prior to this the server would halt.  In addition, corrections
  were made to the server to allow a lease's flags field to be set via omapi.
  Prior to this, the server, depending on the host architecture,  would
  incorrectly parse the new flags value from the omapi message.
  [ISC-Bugs #31179]

- ISC DHCP can now be configured and built from a directory other than
  the top level source directory. Note that "make distcheck" uses this
  [ISC-Bugs #39262]

- Add support for RFC 3527 to dhcrelay.  A new, dhcrelay command line argument,
  "-U <interface>" enables the addition of a RFC 3527 compliant link selection
  suboption to the agent option added for clients directly connected to the
  [ISC-Bugs #34875]
  [ISC-Bugs #41708]

- Add a new global DHCPv6 option, dhcpv6-set-tee-times, which when enabled
  instructs the server to calculate T1 and T2 as recommended in RFC 3315,
  Section 22.4.
  [ISC-Bugs #25687]

- Corrected minor Coverity issues.
  [ISC-Bugs #35144]

- Add support for RFC 7341 DHCPv4 over DHCPv6 with a new configuration
  option "--enable-dhcpv4o6". Note this feature requires DHCPv6 support
  and is not compatible with delayed-ack. Both client and server use 2
  processes which communicate over UDP on a pair of sockets. The new
  "-4o6 <port>" command line argment enables DHCPv4 over DHCPv6 support
  and specifies the consecutive ports to use for inter-process communication.
  Please look at doc/DHCPv4-over-DHCPv6 for more details.
  [ISC-Bugs #35711]

- Correct interface name formation when using DLPI under Solaris 11. As of
  Solaris 11, ethernet device files are located in "/dev/net".  The configure
  script has been modified to detect this situation and adjust the directory
  used accordingly. Thanks to Jarkko Torppa for reporting this issue and
  submitting a patch 
  [ISC-Bugs #37954]
  [ISC-Bugs #40752]

- Add a dereference call when handling an error condition while
  decoding a packet.
  [ISC-Bugs #41774]

- Add a new parameter, lease-id-format, to both dhcpd and dhclient. The
  parameter controls the format in which certain values are written to lease
  files.  Formats supported are octal - quoted string containing octal
  escapes, and hex - unquoted, colon separated hex digits.
  [ISC-Busg #26378]

! Add an option in site.h to limit the number of failover and control
  connections the server will accept.  By default this is 200.
  [ISC-Bugs #41845]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-announce/attachments/20160309/c60e3088/attachment-0001.html>

More information about the dhcp-announce mailing list