import bind-9.11.26-6.el8
This commit is contained in:
		
							parent
							
								
									13a88ee223
								
							
						
					
					
						commit
						a192d46b4a
					
				
							
								
								
									
										44
									
								
								SOURCES/bind-9.11-CVE-2021-25214.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										44
									
								
								SOURCES/bind-9.11-CVE-2021-25214.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,44 @@ | ||||
| From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001 | ||||
| From: Mark Andrews <marka@isc.org> | ||||
| Date: Wed, 3 Feb 2021 11:10:20 +1100 | ||||
| Subject: [PATCH] Check SOA owner names in zone transfers | ||||
| 
 | ||||
| An IXFR containing SOA records with owner names different than the | ||||
| transferred zone's origin can result in named serving a version of that | ||||
| zone without an SOA record at the apex.  This causes a RUNTIME_CHECK | ||||
| assertion failure the next time such a zone is refreshed.  Fix by | ||||
| immediately rejecting a zone transfer (either an incremental or | ||||
| non-incremental one) upon detecting an SOA record not placed at the apex | ||||
| of the transferred zone. | ||||
| ---
 | ||||
|  lib/dns/xfrin.c | 14 ++++++++++++++ | ||||
|  1 file changed, 14 insertions(+) | ||||
| 
 | ||||
| diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
 | ||||
| index 3a3f407289..0ba82e4974 100644
 | ||||
| --- a/lib/dns/xfrin.c
 | ||||
| +++ b/lib/dns/xfrin.c
 | ||||
| @@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
 | ||||
|  	    dns_rdatatype_ismeta(rdata->type)) | ||||
|  		FAIL(DNS_R_FORMERR); | ||||
|   | ||||
| +	/*
 | ||||
| +	 * Immediately reject the entire transfer if the RR that is currently
 | ||||
| +	 * being processed is an SOA record that is not placed at the zone
 | ||||
| +	 * apex.
 | ||||
| +	 */
 | ||||
| +	if (rdata->type == dns_rdatatype_soa &&
 | ||||
| +	    !dns_name_equal(&xfr->name, name)) {
 | ||||
| +		char namebuf[DNS_NAME_FORMATSIZE];
 | ||||
| +		dns_name_format(name, namebuf, sizeof(namebuf));
 | ||||
| +		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
 | ||||
| +			  namebuf);
 | ||||
| +		FAIL(DNS_R_NOTZONETOP);
 | ||||
| +	}
 | ||||
| +
 | ||||
|   redo: | ||||
|  	switch (xfr->state) { | ||||
|  	case XFRST_SOAQUERY: | ||||
| -- 
 | ||||
| 2.26.3 | ||||
| 
 | ||||
							
								
								
									
										40
									
								
								SOURCES/bind-9.11-CVE-2021-25215.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								SOURCES/bind-9.11-CVE-2021-25215.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,40 @@ | ||||
| From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001 | ||||
| From: Petr Mensik <pemensik@redhat.com> | ||||
| Date: Tue, 27 Apr 2021 10:56:12 +0200 | ||||
| Subject: [PATCH 2/2] CVE-2021-25215 | ||||
| 
 | ||||
| 5616.	[security]	named crashed when a DNAME record placed in the ANSWER | ||||
| 			section during DNAME chasing turned out to be the final | ||||
| 			answer to a client query. (CVE-2021-25215) [GL #2540] | ||||
| ---
 | ||||
|  bin/named/query.c | 13 ++++++++++--- | ||||
|  1 file changed, 10 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/bin/named/query.c b/bin/named/query.c
 | ||||
| index a95f5ad..11a888e 100644
 | ||||
| --- a/bin/named/query.c
 | ||||
| +++ b/bin/named/query.c
 | ||||
| @@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 | ||||
|  		if (noqname != NULL) | ||||
|  			query_addnoqnameproof(client, noqname); | ||||
|  		/* | ||||
| -		 * We shouldn't ever fail to add 'rdataset'
 | ||||
| -		 * because it's already in the answer.
 | ||||
| +		 * 'rdataset' will only be non-NULL here if the ANSWER section
 | ||||
| +		 * of the message to be sent to the client already contains an
 | ||||
| +		 * RRset with the same owner name and the same type as
 | ||||
| +		 * 'rdataset'.  This should never happen, with one exception:
 | ||||
| +		 * when chasing DNAME records, one of the DNAME records placed
 | ||||
| +		 * in the ANSWER section may turn out to be the final answer to
 | ||||
| +		 * the client's query, but we have no way of knowing that until
 | ||||
| +		 * now.  In such a case, 'rdataset' will be freed later, so we
 | ||||
| +		 * do not need to free it here.
 | ||||
|  		 */ | ||||
| -		INSIST(rdataset == NULL);
 | ||||
| +		INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
 | ||||
|  	} | ||||
|   | ||||
|   addauth: | ||||
| -- 
 | ||||
| 2.26.3 | ||||
| 
 | ||||
							
								
								
									
										38
									
								
								SOURCES/bind-9.11-rh1935152.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								SOURCES/bind-9.11-rh1935152.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,38 @@ | ||||
| From 4757898440d52b0adbf7ec7ee7f0f89b61aac0fb Mon Sep 17 00:00:00 2001 | ||||
| From: Mark Andrews <marka@isc.org> | ||||
| Date: Fri, 18 Dec 2020 13:31:07 +1100 | ||||
| Subject: [PATCH] Inactive incorrectly incremented | ||||
| 
 | ||||
| It is possible to have two threads destroying an rbtdb at the same | ||||
| time when detachnode() executes and removes the last reference to | ||||
| a node between exiting being set to true for the node and testing | ||||
| if the references are zero in maybe_free_rbtdb().  Move NODE_UNLOCK() | ||||
| to after checking if references is zero to prevent detachnode() | ||||
| changing the reference count too early. | ||||
| 
 | ||||
| (cherry picked from commit 859d2fdad6d1c6ff20083a4c463a929cbeb26438) | ||||
| (cherry picked from commit 25150c15e7cfa73289f04470e2e699ebb7c28fef) | ||||
| ---
 | ||||
|  lib/dns/rbtdb.c | 2 +- | ||||
|  1 file changed, 1 insertion(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 | ||||
| index 8ea4d47..77ef7a4 100644
 | ||||
| --- a/lib/dns/rbtdb.c
 | ||||
| +++ b/lib/dns/rbtdb.c
 | ||||
| @@ -1460,11 +1460,11 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
 | ||||
|  	for (i = 0; i < rbtdb->node_lock_count; i++) { | ||||
|  		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write); | ||||
|  		rbtdb->node_locks[i].exiting = true; | ||||
| -		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 | ||||
|  		if (isc_refcount_current(&rbtdb->node_locks[i].references) | ||||
|  		    == 0) { | ||||
|  			inactive++; | ||||
|  		} | ||||
| +		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 | ||||
|  	} | ||||
|   | ||||
|  	if (inactive != 0) { | ||||
| -- 
 | ||||
| 2.26.3 | ||||
| 
 | ||||
							
								
								
									
										32
									
								
								SOURCES/bind-9.11-rh1980757.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								SOURCES/bind-9.11-rh1980757.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,32 @@ | ||||
| From a503519533eb375a5ce1f7566bfc153aac980d87 Mon Sep 17 00:00:00 2001 | ||||
| From: Petr Mensik <pemensik@redhat.com> | ||||
| Date: Fri, 9 Jul 2021 20:52:21 +0200 | ||||
| Subject: [PATCH] Use proper entropy to initialize tsig keyname | ||||
| 
 | ||||
| Random names used on GSS backed nsupdate can conflict in specific | ||||
| situations. That might include starting a lot of machines from | ||||
| containers, where they took all similar time to start. PID and timestamp | ||||
| would be similar and therefore randomness is quite low. Use entropy to | ||||
| generate more random identifier and reduce chance of conflict. | ||||
| ---
 | ||||
|  bin/nsupdate/nsupdate.c | 4 +++- | ||||
|  1 file changed, 3 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
 | ||||
| index 458aa76..d9e5a2b 100644
 | ||||
| --- a/bin/nsupdate/nsupdate.c
 | ||||
| +++ b/bin/nsupdate/nsupdate.c
 | ||||
| @@ -2941,7 +2941,9 @@ start_gssrequest(dns_name_t *master) {
 | ||||
|   | ||||
|  	keyname = dns_fixedname_initname(&fkname); | ||||
|   | ||||
| -	isc_random_get(&val);
 | ||||
| +	result = isc_entropy_getdata(entropy, &val, sizeof(val), NULL, 0);
 | ||||
| +	if (result != ISC_R_SUCCESS)
 | ||||
| +		isc_random_get(&val);
 | ||||
|  	result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s", | ||||
|  				   val, namestr); | ||||
|  	if (result != ISC_R_SUCCESS) | ||||
| -- 
 | ||||
| 2.31.1 | ||||
| 
 | ||||
| @ -68,7 +68,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv | ||||
| Name:     bind | ||||
| License:  MPLv2.0 | ||||
| Version:  9.11.26 | ||||
| Release:  3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} | ||||
| Release:  6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} | ||||
| Epoch:    32 | ||||
| Url:      https://www.isc.org/downloads/bind/ | ||||
| # | ||||
| @ -155,6 +155,13 @@ Patch175:bind-9.11-json-c.patch | ||||
| Patch177:bind-9.11-serve-stale.patch | ||||
| Patch178:bind-9.11-dhcp-time-monotonic.patch | ||||
| Patch179:bind-9.11-CVE-2020-8625.patch | ||||
| Patch180:bind-9.11-CVE-2021-25215.patch | ||||
| # https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf | ||||
| Patch181:bind-9.11-CVE-2021-25214.patch | ||||
| # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4533/diffs?commit_id=25150c15e7cfa73289f04470e2e699ebb7c28fef | ||||
| Patch182:bind-9.11-rh1935152.patch | ||||
| # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5253 | ||||
| Patch183:bind-9.11-rh1980757.patch | ||||
| 
 | ||||
| # SDB patches | ||||
| Patch11: bind-9.3.2b2-sdbsrc.patch | ||||
| @ -550,6 +557,10 @@ are used for building ISC DHCP. | ||||
| %patch177 -p1 -b .serve-stale | ||||
| %patch178 -p1 -b .time-monotonic | ||||
| %patch179 -p1 -b .CVE-2020-8625 | ||||
| %patch180 -p1 -b .CVE-2021-25215 | ||||
| %patch181 -p1 -b .CVE-2021-25214 | ||||
| %patch182 -p1 -b .rh1935152 | ||||
| %patch183 -p1 -b .rh1980757 | ||||
| 
 | ||||
| mkdir lib/dns/tests/testdata/dstrandom | ||||
| cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data | ||||
| @ -1161,7 +1172,7 @@ fi | ||||
| %triggerin -- selinux-policy < 3.14.1-44 | ||||
| # Failsafe for upgrades, set to new default | ||||
| if [ -x "%{_sbindir}/selinuxenabled" -a -x "%{_sbindir}/setsebool" ] && %{_sbindir}/selinuxenabled; then | ||||
| 	"%{_sbindir}/setsebool" -P named_write_master_zones=1 | ||||
|     "%{_sbindir}/setsebool" -P named_write_master_zones=1 | ||||
| fi | ||||
| %end | ||||
| 
 | ||||
| @ -1601,6 +1612,17 @@ rm -rf ${RPM_BUILD_ROOT} | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Fri Jul 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-6 | ||||
| - Use random entropy to generate unique TKEY identifiers (#1980916) | ||||
| 
 | ||||
| * Fri May 07 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-5 | ||||
| - Fix possible assertion failure isc_refcount_current == 0 in free_rbtdb | ||||
|   (#1953056) | ||||
| 
 | ||||
| * Tue Apr 27 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-4 | ||||
| - Possible assertion failure on DNAME processing (CVE-2021-25215) | ||||
| - Insufficient IXFR checks could lead to assertion failure (CVE-2021-25214) | ||||
| 
 | ||||
| * Mon Feb 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-3 | ||||
| - Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625) | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user