Dear colleagues, We have made available the new release of RIPE Perl database software at our fto site. You can find it at ftp://ftp.ripe.net/ripe/dbase/software/ripe-dbase-2.3.2.tar.gz Please find attached notes of the new release. Please note that CLIENTADDRESS type of referral can be used in our production server readily. Best regards, RIPE NCC DB Group ----------------- RELEASE NOTES for RIPE Database 2.3.2 This is mainly a bugfix release, without major new features added. There are also a few maintenance and performance-related changes, and an important security fix. SUPPORTED SYSTEMS This release has been tested with perl 5.00502 on BSDI3.1 and perl 5.00404 on Solaris 2.6 systems. Please let us know if you have problems running it on other systems. NEW FEATURES - New type of referral: CLIENTADDRESS o A fourth kind of referral is defined, CLIENTADDRESS (The other three were RIPE, INTERNIC and SIMPLE). o The IP address of the client is sent to the referred whois server, if the referral type is CLIENTADDRESS. o The IP address is sent using the -V flag. The version and the IP address will be separated by a comma (eg, -Vripe2.3.1,193.140.45.45). o No other flag will be forwarded to the referred whois server. o When the server gets such a request, it checks the IP number of the server which does the referral against a list of authorized whois servers. If it is not in the list, it will be rejected. The list is named AUTHORIZEDFORREFERRAL in the configuration. o Then, the IP address of the client is extracted from the -V flag string and it will be regarded as if it is the IP address of a directly querying whois client (ie, it is checked against the list of DENYWHOISACCESS list). MAINTENANCE RELATED CHANGES - Introduced some debugging functionality: WHOISDSTAT - creation of files describing the activity of whoisd query processes. Those are normally deleted if the whoisd exits the normal way. WHOISDSTAT is a base filename for those files. - Introduced some limitation on bad clients: QUERYLOOPLIMIT defines a limit for '-k' connections. If more than so many queries for the same search term are detected, QUERYLOOPTXT is printed and the connection is closed. Mainly meant to protect against ptraceroute parsing broken as-macros. SECURITY FIXES - On February 2, 2000, we got a report for a possible buffer overflow in whoisd. An extremely long and specific query, such as the following: % whois `perl -e '{print "0." x 20000}'`@joshua.ripe.net (query example from a Linux host; it does not work, of course, if the client has built-in query size limits) caused the forked server process to crash with a segmentation fault. We immediately introduced a patch on whoisd.pl, truncating the queries to 255 characters immediately after they were being read. BUG FIXES - cross-misc: now the sender of cross-notifications is set to HUMAILBOX. - whoisd.pl: o the text for DENIED connection was mistakenly printed on STDOUT. o The timeout handler would wait infinitely to print a msg about closing the connection. Now an alarm has been set up to stop it, the message can be printed to WHOISDSTAT file if active. PERFORMANCE FIXES - addkey: The overflow file handling has been modified, so that it would use a smaller amount of memory.