• Print
  • Share
  • Dark
    Light

DHCP 4.3.3-P1 Release Notes

  • Updated on 12 Jan 2016
  • 50 minutes to read
  • Contributors 

` Internet Systems Consortium DHCP Distribution Version 4.3.3-P1 01 January 2016

                         Release Notes

                          NEW FEATURES

The major "theme" for ISC DHCP 4.3.x was to update the support for DHCPv6 to include several of the features that have been available for DHCPv4. These include:

  • Support the use of classes

  • Support for on_commit, on_expiry and on_release statements

  • Better logging of address assignments

  • Support for using DHCPv6 relay options in expressions

This release also adds suppport for the standard DDNS as described in the current RFCs as well as enhancing support for dynamically adding and removing subclasses via OMAPI.

There are a number of DHCPv6 limitations and features missing in this release, which will be addressed in the future:

  • Only Solaris, Linux, FreeBSD, NetBSD, and OpenBSD are supported.

  • DHCPv6 includes human-readable text in status code messages, in English. A method to reconfigure or support other languages would be preferable.

  • The "host-identifier" option is limited to a simple token.

  • The client and server can only operate DHCPv4 or DHCPv6 at a time, not both. To use both protocols simultaneously, two instances of the relevant daemon are required, one with the '-6' command line option.

For information on how to install, configure and run this software, as well as how to find documentation and report bugs, please consult the README file.

ISC DHCP uses standard GNU configure for installation. Please review the output of "./configure --help" to see what options are available.

The system has only been tested on Linux, FreeBSD, and Solaris, and may not work on other platforms. Please report any problems and suggested fixes to dhcp-users@isc.org.

ISC DHCP is open source software maintained by Internet Systems Consortium. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

Changes since 4.3.3

! Update the bounds checking when receiving a packet. Thanks to Sebastian Poehn from Sophos for the bug report and a suggested patch. [ISC-Bugs #41267]

Changes since 4.3.3b1

  • None

Changes since 4.3.2

  • The server now does a better check to see if it can allocate the memory for large blocks of v4 leases and should provide a slightly better error message. Note well: the server pre-allocates v4 addresses, if you use a large range, such as a /8, the server will attempt to use a large amount of memory and may not start if there either isn't enough memory or the size exceeds what the code supports. [ISC-Bugs #38637]

  • The server will now reject unicast Request, Renew, Decline, and Release messages from a client unless the server would have sent that client the dhcp6.unicast option. This behavior is in compliance with paragraph 1 in each of the sections 18.2,1, 18.2.3, 18.2.6, and 18.2.7 of RFC 3315. Prior to this, the server would simply accept the messages. Now, in order for the server to accept such a message, the server configuration must include the dhcp6.unicast option either globally or within the shared network to which the requested lease belongs. In other words, the server will map the first IA_XX address found within the client message to a shared-network and look for the presence of the unicast option there and then globally. Thanks to Jiri Popelka at Red Hat for this issue and his patch which inspired the fix. [ISC-Bugs #21235]

  • The ATF (Automated Testing Framework) tools used for optional unit tests can now be built from its embedded sources in bind, solving the atf-run / atf-report issue with recent (>= 0.20) versions of ATF. The new configuration option is "./configure --with-atf=bind". [ISC-Bugs #38754, #39300]

  • Corrected a compilation error introduced by the fix for ISC-Bugs #22806. On older linuxes that do not include the tpacket_auxdata structure don't bother allocating the cmsgbuf as it isn't necessary and we don't have a proper length for it. [ISC-Bugs #39209]

  • Remove the dst directory. This was replaced in 4.2.0 with the dst code from the Bind libraries but we continued to include it for backwards compatibility. As we have now released 4.3.x it seems reasonable to remove it. [ISC-Buts #39019]

  • Write out the DUID server id on startup in all cases, previously if it was read in from server-duid option in the config or lease files for DHCPv4 it would not be written to the new lease file. [ISC-Bugs #37791]

  • When parsing dates for leases convert dates past 2038 to "never". This avoids problems with integer overflows in the date and time handling code for people that decide to use very large lease times or add a lease entry with a date far in the future. [ISC-Bugs #33056]

  • Leave the siaddr field clear when sending a NACK as per RFC 2131 table 3. [ISC-Bugs #38769]

  • In the client don't send expired addresses to the script as part of the binding process. Thanks to Sven Trenkel at Google for reporting the issue and suggesting the patch. [ISC-Bugs #38631]

  • While parsing IPv6 addresses treat "add" as part of the address instead of as a token. [ISC-Bugs #39529]

  • Add support for accessing the v4 lease queues (active, free etc) in a binary fashion instead of needing to walk through a linear list to insert, find or remove an entry from the queues. In addition add a compile time option "--enable-binary-leases" to enable the new code or to continue using the old code. The old code is the default. Thanks to Fernando Soto from BlueCat Networks for the patch. [ISC-Bugs #39078]

  • Delayed-ack now works properly with Failover. Prior to this, bind updates post startup were being queued but never delivered. Among other things, this was causing leases to not transition from expired or released to free. [ISC-Bugs #31474]

  • Clean up parsing of v6 lease files a bit to avoid infinite loops if the lease file is corrupt in certain ways. [ISC-Bugs #39760]

  • Corrected a crash in dhclient that occurs during lease renewal if the client is performing its own DNS updates. Thanks to Jiri Popelka at Red Hat for the bug report. [ISC-Bugs #38639]

  • Corrected an issue in v6 lease file parsing. Prior to this, when encountering a lease with an address for which no configured pool exists, the server was declaring the lease file corrupt and incorrectly skipping over the subsequent entry in the file. The server will now emit a log message indicating that no pool was found for the address (or prefix) and correctly resume parsing with the next entry in the lease file. Our thanks to Michal Žejdl for reporting the issue. [ISC-Bugs #39314]

  • Be more liberal in finding a subnet group associated with a static prefix. When we added the class matching code for v6 we also added a requirement that the static prefix must be within a subnet the client was in, in order to find the proper statements. We now look for a subnet based on the prefix, failing that on the static address for the client and failing that on the shared network itself. [ISC-Bugs #38329]

  • Add a new action expression "parse_vendor_options", which can be used to parse a vendor-encapsualted-option received by the server based on the encoding specified by the vendor-option-space statement. [ISC-Bugs #36449]

  • Enhance the PARANOIA patch to include fchown() the lease file to allow it to be manipulated after the server does a chown(). Thanks to Jiri Popelka at Red Hat for the patch. [ISC-Bugs #36978]

  • Relax the requirement that prefix pools must be within the subnet. This was added in as part of #32453 in order to avoid configuration mistakes but is being removed as prefixes aren't required to be within the same subnet and many people configure them in that fashion. [ISC-Bugs #40077]

  • Fixed a server crash that could occur when the server attempts to remove the billing class from the last lease billed to a dynamic class after said class has been deleted. Our thanks to Lasse Pesonen for reporting the issue. [ISC-Bugs #39978]

  • LDAP Patches - Numerous small patches submitted by contributors have been applied to the contributed code which supplies LDAP support. In addition, two larger submissions have also been included. The first adds support for IPv6 configuration and the second provides GSSAPI authentication. We would like to thank the following for their contributions (alphabetically): Alex Novak at SUSE Bill Parker (wp02855 at gmail dot com) Jiri Popelka at Red Hat Marius Tomaschewski at SUSE (william at adelaide.edu.au), The University of Adelaide [ISC-Bugs #39056] [ISC-Bugs #22742] [ISC-Bugs #24449] [ISC-Bugs #28545] [ISC-Bugs #29873] [ISC-Bugs #30183] [ISC-Bugs #30402] [ISC-Bugs #32217] [ISC-Bugs #32240] [ISC-Bugs #33176] [ISC-Bugs #33178] [ISC-Bugs #36409] [ISC-Bugs #36774] [ISC-Bugs #37876]

  • Handle an out of memory condition in the client a bit better. Thanks to Frédéric Perrin from Brocade for finding the issue and suggesting a patch. [ISC-Bugs #39279]

Changes since 4.3.2rc2

  • None

Changes since 4.3.2rc1

  • Corrected a compilation error introduced by the fix for ISC-Bugs #37415. The error occurs on Linux variants that do not support VLAN tag information in packet auxiliary data. The configure script now only enables inclusion of the VLAN tag-based logic if it is supported by the underlying OS. [ISC-Bugs #38677]

Changes since 4.3.2b1

  • Specifying the option, --disable-debug, on the configure script command line now disables debug features. Prior to this, specifying --disable-debug incorrectly enabled debug features. Thanks to Gustavo Zacarias for reporting the issue. [ISC-Bugs #37780]

  • Unit test execution now uses a path augmented during configuration processing of the --with-atf option to locate ATF runtime tools, atf-run and atf-report. For most installations of ATF, this should alleviate the need to manually include them in the PATH, as was formerly required. If the configure script cannot locate the tools it will emit a warning, informing the user that the tools must be in the PATH when running unit tests. Secondly, please note that "make check" will now exit with a failure status code (non-zero) if one or more unit tests fail. This means that invoking "make check" from an upper level directory will cause the make process to STOP after the first test subdirectory with failed test(s). To force all tests in all subdirectories to run, regardless of individual test outcome, use the command "make -k check". [ISC-Bugs #38619]

Changes since 4.3.1

  • Corrected parser's right brace matching when a statement contains an error. [ISC-Bugs #36021]

  • TSIG-authenticated dynamic DNS updates now support the use of these additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512 [ISC-Bugs #36947]

  • Added check for invalid failover message type. Thanks to Tobias Stoeckmann working with the OpenBSD project who spotted the issue and provided the patch. [ISC-Bugs #36653]

  • Corrected rate limiting checks for bad packet logging. Thanks to Tobias Stoeckmann working with the OpenBSD project who spotted the issue and provided the patch. [ISC-Bugs #36897]

  • Log statements depicting what files will be used by the server now occur after the configuration file has been processed. [ISC-Bugs #36671]

  • Addressed Coverity issues reported as of 07-31-2014: [ISC-Bugs #36712] Corrects Coverity reported "high" impact issues. [ISC-Bugs #36933] Corrects Coverity reported "medium" impact issues [ISC-Bugs #37708] Fixes compilation error in dst_api.c seen in older compilers that was introduced by #36712

  • Server now supports a failover split value of 256. [ISC-Bugs] #36664]

  • Remove unneeded error #defines. These defines were included in case external programs required the older versions of the macro. They have been #ifdeffed for now and will be removed at a future date. See site.h for the #define to include them again, but you should switch to using the DHCP_R_* versions instead of the ISC_R_* versions. Also ISC_R_MULTIPLE has been removed as it is also defined in bind. [ISC-Bugs #37128]

  • Added checks in range6 and prefix6 statement parsing to ensure addresses are within the declared subnet. Thanks to Jiri Popelka at Red Hat for the bug report and patch. [ISC-Bugs #32453] [ISC-Bugs #17766] [ISC-Bugs #18510] [ISC-Bugs #23698] [ISC-Bugs #28883]

  • Addressed checksum issues: Added checksum readiness check to Linux packet filtering which eliminates invalid packet drops due to checksum errors when checksum offloading is in use. Based on dhcp-4.2.2-xen-checksum.patch made to the Fedora project. [ISC-Bugs #22806] [ISC-Bugs #15902] [ISC-Bugs #17739] [ISC-Bugs #18010] [ISC-Bugs #22556] [ISC-Bugs #29769] Inbound packets with UDP checksums of 0xffff now validate correctly rather than being dropped. [ISC-Bugs #24216] [ISC-Bugs #25587]

  • Added the echo-client-id configuration parameter to the server configuration. The server now supports RFC 6842 compliant behavior by setting a new configuration parameter, echo-client-id. When enabled, the server will include the client identifier option (Option code 61) if received, in its responses. The server identifier returned in NAKs (if enabled) will now be the globally defined value (if one) if the server cannot attribute the inbound request to a known subnet. [ISC-Bugs #35958] [ISC-Bugs #32545]

  • Added support of the configuration parameter, use-host-decl-names, to BOOTP request handling. [ISC-Bugs #36233]

  • Added logic to ignore the signal, SIGPIPE, which ensures write failures will be delivered as errors rather than as SIGPIPE signals on all OSs. Thanks to Marius Tomaschewski from SUSE who reported the issue and provided the patch upon which the fix is based. [ISC-Bugs #32222]

  • In the failover code, handle the case of communications being interrupted when the servers are dealing with POTENTIAL-CONFLICT. This patch allows the primary to accept the secondary moving from POTENTIAL-CONFLICT to RESOLUTION-INTERRUPTED as well as handling the bind update process better. In addition the code to resend update or update all requests has been modified to send requests more often. [ISC-Bugs #36810] [ISC-Bugs #20352]

  • By default, the server will now choose the value to use in the forward DNS name from the following in order of preference:

    1. FQDN option if provided by the client
    2. Host name option if provided by the client
    3. Configured option host-name if defined

    As before, this may be overridden by defining ddns-hostname to the desired value (or expression). In addition, the server logic has been extended to use the value of the host name declaration if use-host-decl-names is enabled and no other value is available. [ISC-Bugs #21323]

  • DNS updates were being attempted when dhcp-cache-threshold enabled the use of the existing lease and the forward DNS name had not changed. This has been corrected. [ISC-Bugs #37368] [ISC-Bugs #38686]

  • Corrected an issue which caused dhclient to incorrectly form the result when prepending or appending to the IPv4 domain-search option, received from the server, when either of the values being combined contain compressed components. [ISC-Bugs #20558]

  • Added the server-id-check parameter to the server configuration. This parameter allows run-time control over whether or not a server, participating in failover, verifies the dhcp-server-identifier option in DHCP REQUESTs against the server's id before processing the request. Formerly, enabling this behavior was done at compilation time through the use of the #define, SERVER_ID_CHECK, which has been removed from site.h The functionality is now only available through the new runtime parameter. [ISC-Bugs #37551]

  • During startup, when the server encounters a lease whose binding state is FTS_BACKUP but whose pool has no configured failover peer, it will reset the lease's binding state to FTS_FREE. This allows the leases to be reclaimed by the server after a pool's configuration has changed from failover to standalone. Prior to this such leases would remain stuck in the backup state making them unavailable for assignment. Note this conversion will occur whether or not the server is compiled for failover. [ISC-Bugs #36960]

  • Fixed a small issue in the treatment of hosts in the inform processing that could cause the response to an inform to include information from the wrong scope. The two examples we've heard of are getting subnet instead of group information associated with a host entry, or getting global information instead of subnet if the host entry was built via omapi. Thanks to Julien Soula at University of Lille for finding the bug and supplying a patch. [ISC-Bugs #35712]

  • Avoid calling pool_timer() recursively from supersede_lease(). This could result in leases changing state incorrectly or delaying the running of the leae expiration code. [ISC-Bugs #38002]

  • Move the check for a PID file and process to be before we rewrite the lease file. This avoids the possibility of starting a second instance of a server which changes the current lease file confusing the first instance. This check is only included if the admin hasn't disabled PID files. [ISC-Bugs #38078] [ISC-Bugs #38143]

  • In the client code change the way preferred_life and max_life are printed for environment variables to be unsigned rather than signed. Thanks to Jiri Popelka at Red Hat for the bug report and patch. [ISC-Bugs #37084]

  • Modified linux packet handling such that packets received via VLAN are now seen only by the VLAN interface. Prior to this, such packets were seen by both the VLAN interface and its parent (physical) interface, causing the server to respond to both. Note this remains an issue for non-Linux OSs. Thanks to Jiri Popelka at Red Hat for the patch. [ISC-Bugs #37415] [ISC-Bugs #37133] [ISC-Bugs #36668] [ISC-Bugs #36652]

  • Log content has been changed to more directly suggest that admins should check for multiple IPv6 clients attempting to use the same DUID when only abandoned addresses are available. Debug level logging will now emit counts of the total number of, in-use, and abandoned addresses in a shared subnet when the server finds no addresses available for a given DUID. Lastly, threshold logging is now automatically disabled for shared subnets whose total number of possible addresses exceeds (2^64)-1. [ISC-Bugs #26376] [ISC-Bugs #38131]

  • Added a global parameter, prefix-length-mode, which may be used to determine how the server uses a non-zero value for prefix-length supplied by clients when soliciting DHCPv6 prefixes. The server supports selection modes of: ignore, prefer, exact, minimum and maximum which are described in detail in the server man pages. The prior behavior of the server was to only offer a prefix whose length exactly matched the prefix-length value requested. If no such prefixes were available, the server returned a status of none available. Note the default mode, "exact", provides this same behavior. [ISC-Bugs #36780] [ISC-Bugs #32228]

  • Corrected inconsistencies in dhcrelay's setting the upper interface hop count limit such that it now sets it to 32 when the upstream address is a multicast address per RFC 3315 Section 20. Prior to this if the -u argument preceded the -l argument on the command line or if the same interface was specified for both; the logic to set the hop limit count for the upper interface was skipped. This caused the hop count limit to be set to the default value (typically 1) in the outbound upstream packets. [ISC-Bugs #37426]

Changes since 4.3.1b1

  • Modify the linux and openwrt dhclient scripts to process information from a stateless request. Thanks to Jiri Popelka at Red Hat for the bug report and patch. [ISC-Bugs #36102]

  • Remove more unused RCSID tags. These weren't noticed in 4.3 as the code isn't used anymore but we remove them here to keep the code consistent across versions. [ISC-Bugs #36451]

Changes since 4.3.0

  • Tidy up several small tickets. Correct parsing of DUID from config file, previously the LL type was put in the wrong place in the DUID string. [ISC-Bugs #20962] Add code to parse "do-forward-updates" as well as "do-forward-update" Thanks to Jiri Popelka at Red Hat. [ISC-Bugs #31328] Remove log_priority as it isn't currently used. [ISC-Bugs #33397] Increase the size of the buffer used for reading interface information. [ISC-Bugs #34858]

  • Remove an extra set of the msg_controllen variable. [ISC-Bugs #21035]

  • Add a more understandable error message if a configuration attempts to add multiple keys for a single zone. Thanks to a patch from Jiri Popelka at Red Hat. [ISC-Bugs #31892]

  • Fix some minor issues in the dst code. [ISC-Bugs #34172]

  • Properly #ifdef functions so that the code can compile without NSUPDATE. [ISC-Bugs #35058]

  • Update the partner's stos (start time of state, basically when we last heard from this partner) field when updating the state in failover. [ISC-Bugs #35549]

  • Modify the overload processing to allow space for the remote agent ID. [ISC-Bugs #35569] Handle the ordering of the SUBNET_MASK option even if it is the last option in the list. [ISC-Bugs #24580]

  • Remove the code that allows a server to follow RFC3315 instead of the subsequent errata from August 2010 when determining which IAs to include if no addresses will be assigned. [ISC-Bugs #28938]

  • Remove unused RCSID tags. [ISC-Bugs #35846]

  • Correct the v6 client timing code. When doing the timing backoff for MRT limit it to MRD. Thanks to Jiri Popelka at Red Hat for the bug report and fix. [ISC-Bugs #21238

  • Add a log entry when killing a client and remove the PID files when a server, relay or client are killed. [ISC-Bugs #16970] [ISC-Bugs #17258]

  • Some minor cleanups in the client code. In addition to checking for dhcpc check for bootpc in the services list. [ISC-Bugs #18933] Correct the client code to only try to get a lease once when the given the "-1" argument. Thanks to Jiri Popelka at Red Hat for the bug report and fix. [ISC-Bugs #26735] When asked for the version don't send the output to syslog. [ISC-Bugs #29772] Add the next server information to the environment variables for use by the client script. In order to avoid changing the client lease file the next server information isn't written to it. Thanks to Tomas Hozza at Red Hat for the suggestion and a prototype fix. [ISC-Bugs #33098]

  • Several updates to the dhcp server code. When not in quiet mode print out the files being used. [ISC-Bugs #17551] As accessing some pid files may require privileges move the dropping of permission bits due to the paranoia patch to be after the pid code. Thanks to Jiri Popelka at Red Hat for the bug report and fix. [ISC-Bugs #25806] When processing a "--version" request don't output the version information to syslog.

  • Add the "enable-log-pid" build option to the configure script. When enabled this causes the client, server and relay programs to include the PID number in syslog messages. Thanks to Marius Tomaschewski for the suggestion and proto-patch. [ISC-Bugs #29713]

  • Add a #define to specify the prefix length used when a client attempts to configure an address. This can be modified by editing includes/site.h. By default it is set to 64. While 128 might be a better choice it would also be a change for currently running systems, so we have left it at 64. [ISC-Bugs #DHCP-2]

  • Add a run time option to the client "-df" to allow the administrator to point to a second lease file the client can search for a DUID. This can be used to allow a v4 and a v6 instance of the client to share a DUID. The second file will only be searched if there isn't a DUID in the main lease file and the DUID will be written out to the main lease file. [ISC-Bugs #34886]

  • Have the client fsync the lease file to avoid lease corruption if the client hibernates or otherwise shuts down. [ISC-Bugs #35894]

  • Add a check for L2VLAN in bpf.c to help support VLAN interfaces Thanks to Steinar Haug for the suggestion. [ISC-Bugs #36033]

  • Modify the handling of the resolv.conf file to allow the DHCP process to start up even if the resolv.conf file has problems. [ISC-Bugs #35989]

  • Add threshold logging functionality. Two new options, log-threshold-low and log-threshold-high, indicate to the server if and when it should log an error message as addresses in a pool are used. [ISC-Bugs #34487]

  • Add code to properly dereference a pointer in the dhclient code on an error condition. [ISC-Bugs #36194]

  • Add code to help clean up soft leases. [ISC-Bugs #36304]

  • Disable the gentle shutdown functionality until we can determine the best way to present it to remove or reduce the side effects. [ISC-Bugs #36066]

Changes since 4.3.0rc1

  • None Changes since 4.3.0b1

  • Tidy up receive packet processing. Thanks to Brad Plank of GTA for reporting the issue and suggesting a possible patch. [ISC-Bugs #34447]

Changes since 4.3.0a1

  • Modify the message displayed when a process hits a fatal error. The new message is much shorter and simply points to the README and our website for directions on bug submissions. [ISC-Bugs #24789]

  • Handle an absent resolv.conf file better. [ISC-Bugs #35194]

Changes since 4.2.0 (new features)

  • If a client renews before 'dhcp-cache-threshold' percent of its lease has elapsed (default 25%), the server will reuse the allocated lease (provide a lease within the currently allocated lease-time) rather than extend or renew the lease. This absolves the server of needing to perform an fsync() operation on the lease database before reply, which improves performance. [ISC-Bugs #22228] Updated this patch to support asynchronous DDNS. If the server is attempting to do DDNS on a lease it should be updated and written to disk even if that wouldn't be necessary due to the thresholding. [ISC-Bugs #26311]

  • The 'no available billing' log line now also logs the name of the last matching billing class tried before failing to provide a billing. [ISC-Bugs #21759]

  • A problem with missing get_hw_addr function when --enable-use-sockets was used is now solved on GNU/Linux, BSD and GNU/Hurd systems. Note that use-sockets feature was not tested on those systems. Client and server code no longer use MAX_PATH constant that is not defined on GNU/Hurd systems. [ISC-Bugs #25979]

  • Add a perl script in the contrib directory, dhcp-lease-list.pl, which can parse v4 lease files and output the lease information in a more human friendly manner. This was written by Christian Hammers with some updates by vom and ISC. This is contributed code and is not supported by ISC; however it may be useful to some users. [ISC-Bugs #20680]

  • Add support in v6 for on-commit, on-expire and on-release. [ISC-Bugs #27912]

  • Add support for using classes with v6. [ISC-Bugs #26510]

  • Update the DDNS code to current standards and allow for sharing of DDNS entries between v4 and v6 clients. The new code is used if the ddns-update-style is set to "standard", the older code is still available if ddns-update-style is set to "interim". The oldest DDNS code "ad-hoc" has been removed. Thanks to Thomas Pegeot who submitted a patch for this issue. This patch is based on that work with some modifications. [ISC-Bugs #21139]

  • Add a configuration option to the server to suppress using fsync(). Enabling this option will mean that fsync() is never called. This may provide better performance but there is also a risk that a lease will not be properly written to the disk after it has been issued to a client and before the server stops. Using this option is not recommended. [ISC-Bugs #34810]

  • Add some logging statements to indicate when the server is ready to serve. One statement is emitted after the server has finished reading its files and is about to enter the dispatch loop. This is "Server starting service.". The second is emitted when a server determines that both it and its failover peer are in the normal state. This is "failover peer : Both servers normal." [ISC-Bugs #33208]

  • Add support for accessing options from v6 relays. The v6relay statement allows the administrator to choose which relay to use when searching for an option, see the dhcp-options man page for a description. The host-identifier option has also been updated to support the use of relay options, see the dhcpd.conf man page for a description. [ISC-Bugs #19598]

  • When doing DDNS if there isn't an appropriate zone statement attempt to find a reasonable nameserver via a DNS resolver. This restores some functionality that was lost in the transition to asynchronous DDNS. Due to the lack of security and increase in fragility of the system when using this feature we strongly recommend the use of appropriate zone statements rather than using this functionality. [ISC-Bugs #30461]

  • Add support for specifying the address from which to send DDNS updates on the DHCP server. There are two new options "ddns-local-address4" and "ddns-local-address6" that each take one instance of their respective address types. [ISC-Bugs #34779]

  • Add ignore-client-uids option in the server. This option causes the server to not record a client's uid in its lease. This violates the specification but may also be useful when a client can dual boot using different client ids but the same mac address. Thank you to Brian De Wolf at Cal Poly Pomona for the patch. [ISC-Bugs #32427] [ISC-Bugs #35066]

  • Extend the DHCPINFORM processing to honor the subnet selection option and take host declarations into account. Thanks to Christof Chen for testing and submitting the patch. [ISC-Bugs #35015]

  • Extend the hardware expression to look into the lease structure for a hardware address if there is no packet. This allows the server to find the hardware address during on-expiry processing. [ISC-Bugs #24584]

  • Add definitions for some options that have been specified by the IETF. [ISC-Bugs #29268] [ISC-Bugs #35198]

Changes since 4.2.0 (bug fixes)

  • When using 'ignore client-updates;', the FQDN returned to the client is no longer truncated to one octet.

  • Cleaned up an unused hardware address variable in nak_lease().

  • Manpage entries for the ia-pd and ia-prefix options were updated to reflect support for prefix delegation.

  • Cleaned up some compiler warnings

  • An optimization described in the failover protocol draft is now included, which permits a DHCP server operating in communications-interrupted state to 'rewind' a lease to the state most recently transmitted to its peer, greatly increasing a server's endurance in communications-interrupted. This is supported using a new 'rewind state' record on the dhcpd.leases entry for each lease.

  • Fix the trace code which was broken by the changes to the DDNS code.

  • Update the fsync code to work with the changes to the DDNS code. It now uses a timer instead of noticing if there are no more packets to process.

  • When constructing the DNS name structure from a text string append the root to relative names. This satisfies a requirement in the DNS library that names be absolute instead of relative and prevents DHCP from crashing. [ISC-Bugs #21054]

  • "The LDAP Patch" that has been circulating for some time, written by Brian Masney and S.Kalyanasundraram and maintained for application to the DHCP-4 sources by David Cantrell has been included. Please be advised that these sources were contributed, and do not yet meet the high standards we place on production sources we include by default. As a result, the LDAP features are only included by using a compile-time option which defaults off, and if you enable it you do so under your own recognizance. We will be improving this software over time. [ISC-Bugs #17741]

  • Prohibit including lease time information in a response to a DHCP INFORM. [ISC-Bugs #21092]

! Accept a client id of length 0 while hashing. Previously the server would exit if it attempted to hash a zero length client id, providing attackers with a simple denial of service attack. [ISC-Bugs #21253] CERT: VU#541921 - CVE: CVE-2010-2156

  • A memory leak in ddns processing was closed. [ISC-Bugs #21377]

  • Modify the exception handling for initial context creation. Previously we would try and clean up before exiting. This could present problems when the cleanup required part of the context that wasn't available. It also didn't do much as we exited afterwards anyway. Now we simply log the error and exit. [ISC-Bugs #21093]

  • A bug was fixed that could cause the DHCPv6 server to advertise/assign a previously allocated (active) lease to a client that has changed subnets, despite being on different shared networks. Dynamic prefixes specifically allocated in shared networks also now are not offered if the client has moved. [ISC-Bugs #21152]

  • Add some debugging output for use with the DDNS code. [ISC-Bugs #20916]

  • Fix the trace code to handle timing events better and to truncate a file before using instead of overwriting it. [ISC-Bugs #20969]

  • Modify the determination of the default TTL to use for DDNS updates. The user may still configure the ttl via ddns-ttl. The default for both v4 and v6 is now 1/2 the (preferred) lease time with a limit. The previous defaults (1/2 lease time without a limit for v4 and a default value for v6) may be used by defining USE_OLD_DDNS_TTL in site.h [ISC-Bugs #21126]

  • libisc/libdns is now brought up to version 9.7.1rc1. This corrects three reported flaws in ISC DHCP;

    o DHCP processes (dhcpd, dhclient) fail to start if one of either the IPv4 or IPv6 address families is not present. [ISC-Bugs #21122]

    o Assertion failure when attempting to cancel a previously running DDNS update. [ISC-Bugs #21133]

    o Compilation failure of libisc/libdns due to the use of a flexible array member. [ISC-Bugs #21316]

  • Add declaration for variable in debug code in alloc.c. [ISC-Bugs #21472]

  • Documentation cleanup covering multiple tickets [ISC-Bugs #20265] [ISC-Bugs #20259] minor cleanup [ISC-Bugs #20263] add text describing some default values [ISC-Bugs #20193] single quotes at the start of a line indicate a control line to nroff, escape them if we actually want a quote. [ISC-Bugs #18916] sync the pointer to web pages amongst the different docs

  • 'get-host-names true;' now also works even if 'use-host-decl-names true;' was also configured. The nature of this repair also fixes another error; the host-name supplied by a client is no longer overridden by a reverse lookup of the lease address. Thanks to a patch from Wilco Baan Hofman supplied to us by the Debian package maintenance team. [ISC-Bugs #21691] {Debian Bug#509445}

  • The .TH tag for the dhcp-options manpage was typo repaired thanks to a report from jidanni and the Debian package maintenance team. [ISC-Bugs #21676] {Debian Bug#563613}

  • More documentation changes - primarily to put the options in the dhclient and dhcpd man pages into the standard form. Thanks in part to a patch from David Cantrell at Red Hat. [ISC-Bugs #20264] and parts of [ISC-Bugs #17744] dhclient.8 changes

  • Add code to clear the pointer to an object in an OMAPI handle when the object is freed due to a dereference. [ISC-Bugs #21306]

  • Fixed a bug that leaks host record references onto lease structures, causing the server to apply configuration intended for one host to any other innocent clients that come along later. [ISC-Bugs #22018]

  • Minor code fixes [ISC-Bugs #19566] When trying to find the zone for a name for ddns allow the name to be at the apex of the zone. [ISC-Bugs #19617] Restrict length of interface name read from command line in dhcpd - based on a patch from David Cantrell at Red Hat. [ISC-Bugs #20039] Correct some error messages in dhcpd.c [ISC-Bugs #20070] Better range check on values when creating a DHCID. [ISC-Bugs #20198] Avoid writing past the end of the field when adding overly long file or server names to a packet and add a log message if the configuration supplied overly long names for these fields. Thanks to Martin Pala. [ISC-Bugs #21497] Add a little more randomness to rng seed in client thanks to a patch from Jeremiah Jinno.

  • Correct error handling in DLPI [ISC-Bugs #20378]

  • Remove sun and hpux typedefs in osdep.h as they are now being checked in configure. [ISC-Bugs #20443]

  • Modify how the cmsg header is allocated the v6 send and received routines to compile on more compilers. [ISC-Bugs #20524]

  • When parsing a domain name free the memory for the name after we are done with it. [ISC-Bugs #20824]

  • Add an elapsed time option to the release message and refactor the code to move most of the common code to a single routine. [ISC-Bugs #21171].

  • Two identical log messages for commit_leases() have been disambiguated. [ISC-Bugs #18915]

  • Parse date strings more properly - the code now handles semi-colons in date strings correctly. Thanks to a patch from Jiri Popelka at Red Hat. [ISC-Bugs #21501, #20598]

  • Fixes to lease input and output. [ISC-Bugs #20418] - Some systems don't support the "%s" argument to strftime, paste together the same string using mktime instead. [ISC-Bugs #19596] - When parsing iaid values accept printable characters. [ISC-Bugs #21585] - Always print time values in omshell as hex instead of ascii if the values happen to be printable characters.

  • Minor changes for scripts, configure.ac and Makefiles [ISC-Bugs #19147] Use domain-search instead of domain-name in manual and example conf file. Thanks to a patch from David Cantrell at Red Hat. [ISC-Bugs #19761] Restore address when doing a rebind in DHCPv6 [ISC-Bugs #19945] Properly close the quote on some arguments. [ISC-Bugs #20952] Add 64 bit types to configure.ac [ISC-Bugs #21308] Add "PATH=" to CLIENT_PATH environment variable

  • Update the code to parse dhcpv6 lease files to accept a semi-colon at the end of the max-life and preferred-life clauses. In order to be backwards compatible with older lease files not finding a semi-colon is also accepted. [ISC-Bugs #22303].

! Handle a relay forward message with an unspecified address in the link address field. Previously such a message would cause the server to crash. Thanks to a report from John Gibbons. [ISC-Bugs #21992] CERT: VU#102047 CVE: CVE-2010-3611

  • ./configure on longer searches for -lcrypto to explicitly link against. This fixes a bug where 'dhclient' would have shared library dependencies on '/usr/lib'. [ISC-Bugs #21967]

  • Handle pipe failures more gracefully. Some OSes pass a SIGPIPE signal to a process and will kill the process if the signal isn't caught. This patch adds code to turn off the SIGPIPE signal via a setsockopt() call. The signal is already being ignored as part of the ISC library. [ISC-Bugs #22269]

  • Restore printing of values in omshell to the style pre 21585. For 21585 we changed the print routines to always display time values as a hex list. This had a side effect of printing all data strings as a hex list. We shall investigate other ways of displaying time values more usefully. [ISC-Bugs #22626]

! Fix the handling of connection requests on the failover port. Previously a connection request from a source that wasn't listed as a failover peer would cause the server to become non-responsive. Thanks to a report from Brad Bendily, brad@bendily.com. [ISC-Bugs #22679] CERT: VU#159528 CVE: CVE-2010-3616

  • Don't pass the ISC_R_INPROGRESS status to the omapi signal handlers. Passing it through to the handlers caused the omshell program to fail to connect to the server. [ISC-Bugs #21839]

  • Fix the parenthesis in the code to process configuration statements beginning with "auth". The previous arrangement caused "auto-partner-down" to be processed incorrectly. [ISC-Bugs #21854]

  • Limit the timeout period allowed in the dispatch code to 2^^32-1 seconds. Thanks to a report from Jiri Popelka at Red Hat. [ISC-Bugs #22033], [Red Hat Bug #628258]

  • When processing the format flags for a given option consume the flag indicating an optional value correctly. A symptom of this bug was an infinite loop when trying to parse the slp-service-scope option. Thanks to a patch from Marius Tomaschewski. [ISC-Bugs #22055]

  • Disable the use of kqueue in the ISC library. This avoids a problem between the fork and socket code that caused the dhcpd process to use all available cpu if the program daemonized itself. [ISC-Bugs #21911]

! When processing a request in the DHCPv6 server code that specifies an address that is tagged as abandoned (meaning we received a decline request for it previously) don't attempt to move it from the inactive to active pool as doing so can result in the server crashing on an assert failure. Also retag the lease as active and reset its timeout value. [ISC-Bugs #21921]

  • Removed the restriction on using IPv6 addresses in IPv4 mode. This allows IPv4 options which contain IPv6 addresses to be specified. For example the 6rd option can be specified and used like this: [ISC-Bugs #23039]

option 6rd code 212 = { integer 8, integer 8, ip6-address, array of ip-address }; option 6rd 16 10 2001:: 1.2.3.4, 5.6.7.8;

  • Handle some DDNS corner cases better. Maintain the DDNS transaction information when updating a lease and cancel any existing transactions when removing the ddns information. [ISC-Bugs #23103]

  • Some fixes for LDAP [ISC-Bugs #21783] - Include lber library when building ldap [ISC-Bugs #22888] - Enable the ldap code when buidling common The above fixes are from Jiri Popelka at Red Hat.

  • Modify the dlpi code to accept getmsg() returning a positive value. [ISC-Bugs #22824]

! In dhclient check the data for some string options for reasonableness before passing it along to the script that interfaces with the OS. [ISC-Bugs #23722] CVE: CVE-2011-0997

  • DHCPv6 server now responds properly if client asks for a prefix that is already assigned to a different client. [ISC-Bugs #23948]

  • Add the option "--no-pid" to the client, relay and server code, to disable writing a pid file. Add the option "-pf pidfile" to the relay to allow the user to supply the pidfile name at runtime. Add the "with-relay6-pid-file" option to configure to allow the user to supply the pidfile name for the relay in v6 mode at configure time. [ISC-Bugs #23351] [ISC-Bugs #17541]

  • 'dhclient' no longer waits a random interval after first starting up to begin in the INIT state. This conforms to RFC 2131, but elects not to implement a 'SHOULD' direction in section 4.1. The goal of this change is to start up faster. [ISC-Bugs #19660]

  • Added 'initial-delay' parameter that specifies maximum amount of time before client goes to the INIT state. The default value is 0. In previous versions of the code client could wait up to 5 seconds. The old behavior may be restored by using 'initial-delay 5;' in the client config file. [ISC-Bugs #19660]

  • ICMP ping-check should now sit closer to precisely the number of seconds configured (or default 1), due to making use of the new microsecond scale timer internally to dhcpd. This corrects a bug where the server may immediately timeout an ICMP ping-check if it was made late in the current second. [ISC-Bugs #19660]

  • The DHCP client will schedule renewal and rebinding events in microseconds if the DHCP server provided a lease-time that would result in sub-1-second timers. This corrects a bug where a 2-second or lower lease-time would cause the DHCP client to enter an infinite loop by scheduling renewal at zero seconds. [ISC-Bugs #19660]

  • Client lease records are recorded at most once every 15 seconds. This keeps the client from filling the lease database disk quickly on very small lease times. [ISC-Bugs #19660]

  • To defend against RFC 2131 non-compliant DHCP servers which fail to advertise a lease-time (either mangled, or zero in value) the DHCP client now adds the server to the reject list ACL and returns to INIT state to hopefully find an RFC 2131 compliant server (or retry in INIT forever). [ISC-Bugs #19660]

  • Parameters configured to evaluate from user defined function calls can now be correctly written to dhcpd.leases (as on 'on events' or dynamic host records inserted via OMAPI). [ISC-Bugs #22266]

  • If a 'next-server' parameter is configured in a dynamic host record via OMAPI as a domain name, the syntax written to disk is now correctly parsed upon restart. [ISC-Bugs #22266]

  • The DHCP server now responds to DHCPLEASEQUERY messages from agents using IP addresses not covered by a subnet in configuration. Whether or not to respond to such an agent is still governed by the 'allow leasequery;' configuration parameter, in the case of an agent not covered by a configured subnet the root configuration area is examined. Server now also returns vendor-class-id option, if client sent it. [ISC-Bugs #21094]

  • Documentation fixes [ISC-Bugs #17959] add text to AIX section describing how to have it send responses to the all-ones address. [ISC-Bugs #19615] update the includes in dhcpctl/dhcpctl.3 to be more correct [ISC-Bugs #20676] update dhcpd.conf.5 to include the RFC numbers for DDNS

  • Relay no longer crashes, when DHCP packet is received over interface without any IPv4 address assigned. Also extended logging message about discarding packets with invalid hlen with information about relevant interface name. [ISC-Bugs #22409]

  • Relay now properly logs that packet was received over interface without global IPv6 address [ISC-Bugs #24070]

  • Linux Packet Filter interface improvement. sockaddr_pkt structure is used, rather than sockaddr. Packet ethertype is now forced to ETH_P_IP. [ISC-Bugs #18975]

  • Minor code cleanups - but note port change for #23196 [ISC-Bugs #23470] - Modify when an ignore return macro is defined to handle unsed error return warnings for more versions of gcc. [ISC-Bugs #23196] - Modify the reply handling in the server code to send to a specified port rather than to the source port for the incoming message. Sending to the source port was test code that should have been removed. The previous functionality may be restored by defining REPLY_TO_SOURCE_PORT in the includes/site.h file. We suggest you don't enable this except for testing purposes. [ISC-Bugs #22695] - Close a file descriptor in an error path. [ISC-Bugs #19368] - Tidy up variable types in validate_port.

  • Code cleanup: remove obsolete PROTO, KandR, INLINE and ANSI_DECL macros [ISC-Bugs #13151]

  • Compilation problem with gcc4.5 and omshell.c resolved. [ISC-Bugs #23831]

  • Client Script fixes [ISC-Bugs #23045] Typos in client/scripts/openbsd [ISC-Bugs #23565] In the client scripts add a zone id (interface id) if the domain search address is link local. [ISC-Bugs #1277] In some of the client scripts add code to handle the case of the default router information being changed without the address being changed.

  • Documentation cleanup [ISC-Bugs #23326] Updated References document, several man page updates

  • Server no longer complains about NULL pointer when configured server-identifier expression fails to evaluate. [ISC-Bugs #24547]

  • Convert ISC_R_INPROGRESS status to ISC_R_SUCCESS when called from other than the dispatch handler. This fixes an issue where omshell, when run from the same platform as the server, would appear to fail to connect. This is a companion to #21839. [ISC-Bugs #23592]

  • Enlarge the buffer size used by the Omshell code and some of the print routines to allow for greater than 60 characters or, when printing as hex strings, 20 characters. [ISC-Bugs #22743]

  • In Solaris 11 switch to using sockets instead of DLPI, thanks to a patch form Oracle. [ISC-Bugs #24634].

  • Strict checks for content of domain-name DHCPv4 option can now be configured during compilation time. Even though RFC2132 does not allow to store more than one domain in domain-name option, such behavior is now enabled by default, but this may change some time in the future. See ACCEPT_LIST_IN_DOMAIN_NAME define in includes/site.h. [ISC-Bugs #24167]

  • DNS Update fix. A misconfigured server could crash during DNS update processing if the configuration included overlapping pools or multiple fixed-address entries for a single address. This issue affected both IPv4 and IPv6. The fix allows a server to detect such conditions, provides the user with extra information and recommended steps to fix the problem. If the user enables the appropriate option in site.h then server will be terminated [ISC-Bugs #23595]

! Two packets were found that cause a server to halt. The code has been updated to properly process or reject the packets as appropriate. Thanks to David Zych at University of Illinois for reporting this issue. [ISC-Bugs #24960] One CVE number for each class of packet. CVE-2011-2748 CVE-2011-2749

  • Fix the code that checks for an existing DDNS transaction to cancel when removing DDNS information, so that we will continue with the processing if we have a lease even if it doesn't have an outstanding transaction. [ISC-Bugs #24682]

  • Add AM_MAINTAINER_MODE to configure.ac to avoid rebuilding configuration files. [ISC-Bugs #24107]

  • Add support for passing DDNS information to a DNS server over an IPv6 address. [ISC-Bugs #22647]

  • Enhanced patch for 23595 to handle IPv4 fixed addresses more cleanly. [ISC-Bugs #23595]

! Add a check for a null pointer before calling the regexec function. Without this check we could, under some circumstances, pass a null pointer to the regexec function causing it to segfault. Thanks to a report from BlueCat Networks. [ISC-Bugs #26704]. CVE: CVE-2011-4539

! Modify the DDNS handling code. In a previous patch we added logging code to the DDNS handling. This code included a bug that caused it to attempt to dereference a NULL pointer and eventually segfault. While reviewing the code as we addressed this problem, we determined that some of the updates to the lease structures would not work as planned since the structures being updated were in the process of being freed: these updates were removed. In addition we removed an incorrect call to the DDNS removal function that could cause a failure during the removal of DDNS information from the DNS server. Thanks to Jasper Jongmans for reporting this issue. [ISC-Bugs #27078] CVE: CVE-2011-4868

  • Fixed the code that checks if an address the server is planning to hand out is in a reserved range. This would appear as the server being out of addresses in pools with particular ranges. [ISC-Bugs #26498]

  • In the DDNS code handle error conditions more gracefully and add more logging code. The major change is to handle unexpected cancel events from the DNS client code. [ISC-Bugs #26287]

  • Tidy up the receive calls and eliminate the need for found_pkt. [ISC-Bugs #25066]

  • Add support for Infiniband over sockets to the server and relay code. We've tested this on Solaris and hope to expand support for Infiniband in the future. This patch also corrects some issues we found in the socket code. [ISC-Bugs #24245]

  • Add a compile time check for the presence of the noreturn attribute and use it for log_fatal if it's available. This will help code checking programs to eliminate false positives. [ISC-Bugs #27539]

  • Fixed many compilation problems ("set, but not used" warnings) for gcc 4.6 that may affect Ubuntu 11.10 users. [ISC-Bugs #27588]

  • Modify the code that determines if an outstanding DDNS request should be cancelled. This patch results in cancelling the outstanding request less often. It fixes the problem caused by a client doing a release where the TXT and PTR records weren't removed from the DNS. [ISC-BUGS #27858]

  • Use offsetof() instead of sizeof() to get the sizes for dhcpv6_relay_packet and dhcpv6_packet in several more places. Thanks to a report from Bruno Verstuyft and Vincent Demaertelaere of Excentis. [ISC-Bugs #27941]

  • Remove outdated note in the description of the bootp keyword about the option not satisfying the requirement of failover peers for denying dynamic bootp clients. [ISC-bugs #28574]

  • Multiple items to clean up IPv6 address processing. When processing an IA that we've seen check to see if the addresses are usable (not in use by somebody else) before handing it out. When reading in leases from the file discard expired addresses. When picking an address for a client include the IA ID in addition to the client ID to generally pick different addresses for different IAs. [ISC-Bugs #23138] [ISC-Bugs #27945] [ISC-Bugs #25586] [ISC-Bugs #27684]

  • Remove unnecessary checks in the lease query code and clean up several compiler issues (some dereferences of NULL and treating an int as a boolean). [ISC-Bugs #26203]

  • Fix the NA and PD allocation code to handle the case where a client provides a preference and the server doesn't have any addresses or prefixes available. Previously the server ignored the request with this patch it replies with a NoAddrsAvail or NoPrefixAvail response. By default the code performs according to the errata of August 2010 for RFC 3315 section 17.2.2; to enable the previous style see the section on RFC3315_PRE_ERRATA_2010_08 in includes/site.h. This option may be removed in the future. Thanks to Jiri Popelka at Red Hat for the patch. [ISC-Bugs #22676]

  • Fix up some issues found by static analysis. A potential memory leak and NULL dereference in omapi. The use of a boolean test instead of a bitwise test in dst. [ISC-Bugs #28941]

  • Rotate the lease file when running in v6 mode. Thanks to Christoph Moench-Tegeder at Astaro for the report and the first version of the patch. [ISC-Bugs #24887]

  • Correct code to calculate timing values in client to compare rebind value to infinity instead of renew value. Thanks to Chenda Huang from H3C Technologies Co., Limited for reporting this issue. [ISC-Bugs #29062]

  • Fix some issues in the code for parsing and printing options. [ISC-Bugs #22625] - properly print options that have several fields followed by an array of something for example "fIa" [ISC-Bugs #27289] - properly parse options in declarations that have several fields followed by an array of something for example "fIa" [ISC-Bugs #27296] - properly determine if we parsed a 16 or 32 bit value in evaluate_numeric_expression (extract-int). [ISC-Bugs #27314] - properly parse a zero length option from a lease file. Thanks to Marius Tomaschewski from SUSE for the report and prototype patch for this ticket as well as ticket 27289.

! Previously the server code was relaxed to allow packets with zero length client ids to be processed. Under some situations use of zero length client ids can cause the server to go into an infinite loop. As such ids are not valid according to RFC 2132 section 9.14 the server no longer accepts them. Client ids with a length of 1 are also invalid but the server still accepts them in order to minimize disruption. The restriction will likely be tightened in the future to disallow ids with a length of 1. Thanks to Markus Hietava of Codenomicon CROSS project for the finding this issue and CERT-FI for vulnerability coordination. [ISC-Bugs #29851] CVE: CVE-2012-3571

! When attempting to convert a DUID from a client id option into a hardware address handle unexpected client ids properly. Thanks to Markus Hietava of Codenomicon CROSS project for the finding this issue and CERT-FI for vulnerability coordination. [ISC-Bugs #29852] CVE: CVE-2012-3570

! A pair of memory leaks were found and fixed. Thanks to Glen Eustace of Massey University, New Zealand for finding this issue. [ISC-Bugs #30024] CVE: CVE-2012-3954

  • Existing legacy unit-tests have been migrated to Automated Test Framework (ATF). Several new tests have been developed. To enable unit-tests, please use --with-atf in configure script. A Developer's Guide has been added. To generate it, please use make devel in the doc directory. It is currently in early stages of development, but is expected to grow in the near future. [ISC-Bugs 25901]

! An issue with the use of lease times was found and fixed. Making certain changes to the end time of an IPv6 lease could cause the server to abort. Thanks to Glen Eustace of Massey University, New Zealand for finding this issue. [ISC-Bugs #30281] CVE: CVE-2012-3955

  • Update the memory leakage debug code to work with v6. [ISC-Bugs #30297]

  • Relax the requirements for deleting an A or AAAA record. Previously the DDNS removal code required both the A or AAAA record and the TXT record to exist. This requirement could cause problems if something interrupted the removal leaving the TXT record alone. This relaxation was codified in RFC 4703. [ISC-Bugs #30734]

  • Modify the failover code to handle incorrect peer names better. Previously the structure holding the name might have been freed inappropriately in some cases and not freed in other cases. [ISC-Bugs #30320]

  • Add a configure option, enable-secs-byteorder, to deal with clients that do the byte ordering on the secs field incorrectly. This field should be in network byte order but some clients get it wrong. When this option is enabled the server will examine the secs field and if it looks wrong (high byte non zero and low byte zero) swap the bytes. The default is disabled. This option is only useful when doing load balancing within failover. [ISC-Bugs #26108]

  • Fix a set of issues that were discovered via a code inspection tool. Thanks to Jiri Popelka and Tomas Hozza Red Hat for the logs and patches. [ISC-Bugs #23833]

  • Parsing unquoted base64 strings improved. Parser now properly handles strings that contain reserved names. [ISC-Bugs #23048]

  • Modify the nak_lease function to make some attempts to find a server-identifier option to use for the NAK. [ISC-Bugs #25689]

  • The client now passes information about the options it requested from the server to the script code via environment variables. These variables are of the form requested_<option_name>=1 with the option name being the same as used in the new_* and old_* variables. [ISC-Bugs #29068]

  • Add support for a simple check that the server id in a request message to a failover peer matches the server id of the server. This support is enabled by editing the file includes/site.h and uncommenting the definition for SERVER_ID_CHECK. The option has several restrictions and issues - please read the comment in the site.h file before enabling it. [ISC-Bugs #31463]

  • Tidy up some compiler issues in the debug code. [ISC-Bugs #26460]

  • Move the dhcpd.conf example file to dhcpd.conf.example to avoid overwriting the dhcpd.conf file when installing a new version of ISC DHCP. The user will now need to manual copy and edit the dhcpd.conf file as desired. [ISC-Bugs #19337]

  • Check the status value when trying to read from a connection to see if it may have been closed. If it appears closed don't try to read from it again. This avoids a potential busy-wait like loop when the peer names are mismatched. [ISC-Bugs #31231]

  • Remove an unused variable to keep compilers happy. [ISC-Bugs #31983]

  • Modify test makefiles to be more similar to standard makefiles and comment out a currently unused test. [ISC-Bugs #32089]

  • Address static analysis warnings. [ISC-Bugs #33510] [ISC-Bugs #33511]

  • Silence benign static analysis warnings. [ISC-Bugs #33428]

  • Add check for 64-bit package for atf. [ISC-Bugs #32206]

  • Use newer auto* tool packages and turn on RFC_3542 support on Mac OS. [ISC-Bugs #26303]

  • Remove a variable when it isn't being used due to #ifdefs to avoid a compiler warning on Solaris using GCC. [ISC-Bugs #33032]

  • Add a check for too much whitespace in a config or lease file. Thanks to Paolo Pellegrino for finding the issue and a suggestion for the patch. [ISC-Bugs #33351]

  • Fix several problems with using OMAPI to manipulate class and subclass objects. [ISC-Bugs #27452]

  • Added a sleep call after killing the old client to allow time for the sockets to be cleaned. This should allow the -r option to work more consistently. [ISC-Bugs #18175]

  • Missing files for ISC DHCP Developer's Guide are now included in the release tarballs. To generate this documentation, please use make devel command in doc directory. [ISC-Bugs #32767]

  • Update client script for use with openwrt. [ISC-Bugs #29843]

  • Fix the socket handling for DHCPv6 clients to allow multiple instances of a client on a single machine to work properly. Previously only one client would receive the packets. Thanks to Jiri Popelka at Red Hat for the bug report and a potential patch. [ISC-Bugs #34784]

  • Added support for gentle shutdown after signal is received. [ISC-Bugs #32692] [ISC-Bugs 34945]

  • Enhance the DHCPv6 server logging to include the addresses that are assigned to the clients. [ISC-Bugs #26377]

  • Fix an operation in the DDNS code to be a bitwise instead of logical or. [ISC-Bugs #35138]

Changes since 4.1.0 (new features)

  • Failover port configuration can now be left to defaults (port 647) as described in the -12 revision of the Failover draft (and assigned by IANA). Thanks in part to a patch from David Cantrell at Red Hat.

  • If configured, dhclient may now transmit to an anycast MAC address, rather than using a broadcast address. Thanks to a patch from David Cantrell at Red Hat.

  • Added client support for setting interface MTU and metric, thanks to Roy "UberLord" Marples roy@marples.name.

  • Added client -D option to specify DUID type to send.

  • A new failover configuration parameter has been introduced for those environments where DHCP servers can be reasonably guaranteed to be "down" when the failover TCP socket is severed, "auto-partner-down". This parameter is not generally safe, and by default is disabled, so please carefully review the documentation of this parameter in the dhcpd.conf(5) manpage before determining to use it yourself.

  • Added a configuration function, 'gethostname()', which calls the system function of the s`

© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Problems with this site? Email us at marketing@isc.org