ISC DHCP 4.3.4 is now available for download
sar at isc.org
Tue Mar 29 20:51:19 UTC 2016
ISC DHCP 4.3.4 is now available for download.
This is the release of ISC DHCP 4.3.4, a maintenance
release which contains a number of bug fixes and two
fixes for previously released security issues.
Field testing is an important part of our quality process.
Please report bugs to dhcp-bugs at isc.org.
A list of the changes in this release has been appended to the end
of this message. For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:
Knowledge base articles about various features can be found starting from:
Webinars can be found here:
This release, and its OpenPGP-signatures are available now from:
ISC's Release Signing Key can be obtained at:
The following are changes that may be more interesting and require
a bit more explanation.
We have changed the default set-up for choosing a program name for
use in logging. Previously we used a hardcoded name for the client,
relay and server. We have changed to using the base name of the program.
This is intended to help differentiate syslog entries when using both v4
& v6 clients or servers. We don't expect anybody to need the old style
but if you do it is available via modifying includes/site.h
and defining OLD_LOG_NAME. [ISC-Bugs #38692]
We have added a new parameter, authoring-byte-order, to the lease file.
This value is used to allow a lease file written in one byte order
to be read on a machine with a different byte order. If you have
a program to process a lease file you may need to update it to
handle this string. [ISC-Bugs #38396]
We have modified the configuration and Makefiles in order to make
it easier to cross compile ISC DHCP with Bind. See the release
note entries for [ISC-Bugs #39210], [ISC-Bugs #38836], [ISC-Bugs #41536]
and [ISC-Bugs #33835] for more information.
The IETF determined that there were problems with the processing
required for IA_NAs (RFC3315) and IA_PDs (RFC3633). The issues
are described in RFC7550. As part of updating the client code to
the new RFC we also re-arranged how it chooses between different
servers by changing the weights used when scoring an advertise.
The new weighting will prefer more bindings (IAs) over more addresses
within a binding. As most users will get a single address in
as single binding and only get an advertise from a single server
there won't be any difference. If you do need the old weighting
for some reason you can edit includes/site.h and define
USE_ORIGINAL_CLIENT_LEASE_WEIGHTS. [ISC-Bugs #40190]
We have modified the error reporting in the client, relay and server
to better indicate which command line option caused an error. As
we don't expect this to be an issue we have made it the default.
If you you need the old error messages you can edit includes/site.h
and undefine PRINT_SPECIFIC_CL_ERRORS. [ISC-Bugs #40321]
We have added support for DHCPv4 over DHCPv6 (RFC 7341). This is a
transition strategy that allows a set of co-operating programs to
encapsulate a DHCPv4 request into a DHCPv6 request and transmit
it over an IPv6 network, thus allowing a "v4 island" to get DHCP
service. It is still somewhat experimental and by default most of
the changes are not included. In order to enable it you will need
to add the option "--enable-dhcpv4o6" to your configuration command
before compiling the code. You would also need to use the
"-4o6 <port>" argument on the command line. More information can be
found in the release at doc/DHCPv4-over-DHCPv6 or on our web site at
We have added a new parameter, "lease-id-format" for both dhcpd
and dhclient. This parameter controls the format in which some
values are written to lease files. This is to allow values such
as DUIDs to be written in hex which is more natural than octal.
In order to avoid disturbing current users the default is to output
the information as we have done before. [ISC-Bugs #26378]
As mentioned in the recent security announcement we found an issue
with our handling of excessive numbers of connections. While we
believe the best idea is for people to properly secure their DHCP
severs (disable OMAPI if not in use, use firewalls to limit access
to OMAPI and failover ports and use process limits to restrict the
resources the servers can use) we have added code to limit the number
of connections a server will allow. We have chosen 200 as the
default number which should be large enough for most configurations.
You may adjust this value by editing includes/site.h and changing
the value of MAX_FD_VALUE. A value of 0 means unlimited. We will
be evaluating the connection code in more detail in the future and
may change how this works. [ISC-Bugs #41845]
The following is the list of all changes for this release.
Changes since 4.3.4b1
Changes since 4.3.3
- Corrected a static analyzer warning in common/execute.c
- ISC DHCP now follows the common convention to use the base name a
program is invoked with (aka argv, vs. a builtin name) for
logs. This should help differentiate syslog entries for DHCPv4 and
DHCPv6 servers. You can define OLD_LOG_NAME in includes/site.h to
keep the previous behavior.
- The Linux packet filter code now correctly treats only the least significant
12 bits in an inbound packet's TCI value as the VLAN id (per IEEE 802.1Q).
Prior to this it was using the entire 16 bit value as the VLAN id and
incorrectly discarding packets. Thanks to Jiri Popelka at Red Hat for
reporting this issue and supplying its patch.
- Fixed several static analysis issues such as potential null
references, unchecked strdup returns. Thanks to Bill Parker (wp02855 at
gmail dot com) who identified these issues and supplied patches to
- Corrected compilation errors that prohibited building the server
and its ATF unit tests when failover is disabled.
- Added the lease address to the end of the debug level log message
emitted when an existing lease is renewed within the dhcp-cache-threshold.
Thanks to Nathan Neulinger at Missouri S&T for suggesting the change.
- Added dhcpv6 and delayed-ack to settings listed in the "Features:"
section of the configure script output. Additionally, all of the
features reported on will now always show either a "yes" or "no"
value. Prior to this features left to their default setting would
not show a value.
- Added a parameter, authoring-byte-order, to the lease file. This value
is automatically added to the top of new lease files by the server and
indicates the internal byte order (big endian or little endian) of the
server. This permits lease files generated on a server with one form of
byte order to be used on a server with the opposite form. Our thanks to
Timothe Litt for calling this to our attention and for the suggestions
- Fixed a small memory leak in the DHCPv6 version of the client code.
This is unlikely to cause significant issues in actual use.
- Corrected a few minor memory leaks in omapi's dereferencing of
host objects. Thanks to Jiri Popelka at Red Hat for reporting
the issue and supplying the patches.
- Cleaned up some of the Make infrastructure to make --with-libbind
work better. Though it still only works with an absolute path.
- Made the embedded bind libraries able to be cross compiled
(please refer to the bind9 documentation to learn how to cross
compile DHCP and its bind library dependency).
- Update the client code to better support getting IA_NAs and IA_PDs
in the same packet, see RFC7550 for some discussion.
! Update the bounds checking when receiving a packet.
Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
- When handling an incorrect command line for dhcpd, dhclient or dhcrelay
print out a specific error message about the first error in addition
to the usage string. This may be disabled by editing includes/site.h.
- The configure script will now exit with an error message if it cannot find
a GNU-style make tool (needed when building BIND libraries) or pkg-config
(needed to locate ATF used for building unit tests). Prior to this the
script would exit indicating success causing subsequent attempts to build
the software to fail.
- Properly terminate strings before passing them to regex and fix
a boundary error when creating certain new data strings.
Thanks to Andrey Jr. Melnikov for the bug report.
- Option expressions, such as prepend and append, are now supported when
running dhclient for IPv6. Prior to this such statements in the
client configuration file would be parsed but have no affect. Thanks
to Jiri Popelka at Red Hat for reporting the issue.
- A failover primary server will now accept a binding status update from the
secondary which transitions a lease from ACTIVE to ABANDONED. This accounts
for instances in which a client declines a lease and only the secondary
server receives it. Prior to this the primary server would reject such an
update as an "invalid state transition".
- Properly allocate memory for a bpf filter.
Thanks to Bill Parker (wp02855 at gmail dot com) who identified this issue.
- Updated contrib/dhcp-lease-list.pl to handle garbage in the oui file better
and to print out the hostnames a bit better.
Thanks to Antoine Beaupré from Debian for the suggested patch.
- The DHCPv6 server now handles long valid and preferred lease times better.
Values that would cause the internal end time of the lease to wrap are
modified to work as infinite.
- Updated support for cross compiling by allowing the library archiver
to be set at configure time via the environment variable 'AR'.
- The server will now match DHCPv6 relayed clients to host declarations
which include the "hardware" statement, if the relay connected to the
client supplies the client's hardware address via client-linklayer-address
option as per RFC 6939.
- Allow a filename to be specified instead of /dev/random during
configuration. This is passed to the BIND configuration to allow
for cross compilation.
- Add more option definitions.
- Correct outputting of long lines in the lease file when writing
a lease that includes long strings in an execute statement.
- The server will now correctly treat a lease as reserved when the client
requests an infinite lease time (i.e. OxFFFFFFFF) and "infinite-is-reserved"
is enabled. Prior to this the server would halt. In addition, corrections
were made to the server to allow a lease's flags field to be set via omapi.
Prior to this, the server, depending on the host architecture, would
incorrectly parse the new flags value from the omapi message.
- ISC DHCP can now be configured and built from a directory other than
the top level source directory. Note that "make distcheck" uses this
- Add support for RFC 3527 to dhcrelay. A new, dhcrelay command line argument,
"-U <interface>" enables the addition of a RFC 3527 compliant link selection
suboption to the agent option added for clients directly connected to the
- Add a new global DHCPv6 option, dhcpv6-set-tee-times, which when enabled
instructs the server to calculate T1 and T2 as recommended in RFC 3315,
- Corrected minor Coverity issues.
- Add support for RFC 7341 DHCPv4 over DHCPv6 with a new configuration
option "--enable-dhcpv4o6". Note this feature requires DHCPv6 support
and is not compatible with delayed-ack. Both client and server use 2
processes which communicate over UDP on a pair of sockets. The new
"-4o6 <port>" command line argument enables DHCPv4 over DHCPv6 support
and specifies the consecutive ports to use for inter-process communication.
Please look at doc/DHCPv4-over-DHCPv6 for more details.
- Correct interface name formation when using DLPI under Solaris 11. As of
Solaris 11, ethernet device files are located in "/dev/net". The configure
script has been modified to detect this situation and adjust the directory
used accordingly. Thanks to Jarkko Torppa for reporting this issue and
submitting a patch
- Add a dereference call when handling an error condition while
decoding a packet.
- Add a new parameter, lease-id-format, to both dhcpd and dhclient. The
parameter controls the format in which certain values are written to lease
files. Formats supported are octal - quoted string containing octal
escapes, and hex - unquoted, colon separated hex digits. Thanks to
Jay Ford, University of Iowa for bringing the issue to our attention.
! Add an option in site.h to limit the number of failover and control
connections the server will accept. By default this is 200.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dhcp-announce