import bind-9.11.36-8.el8

SOURCES/bind-9.11-CVE-2022-2795.patch

@@ -0,0 +1,61 @@
+From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH] Bound the amount of work performed for delegations
+
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8)
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8ae9a993bb..ac9a9ef5d0 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -180,6 +180,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);
+-- 
+2.37.3
+

SPECS/bind.spec

@@ -68,7 +68,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.36
-Release:  5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2
+Release:  8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -164,6 +164,8 @@ Patch188: bind-9.16-CVE-2022-38177.patch
 Patch189: bind-9.16-CVE-2022-38178.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695
 Patch190: bind-9.11-rh2101712.patch
+Patch191: bind-9.11-CVE-2022-2795.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376
 Patch192: bind-9.11-rh2133889.patch
 
 # SDB patches
@@ -565,6 +567,7 @@ are used for building ISC DHCP.
 %patch188 -p1 -b .CVE-2022-38177
 %patch189 -p1 -b .CVE-2022-38178
 %patch190 -p1 -b .rh2101712
+%patch191 -p1 -b .CVE-2022-2795
 %patch192 -p1 -b .rh2133889
 
 mkdir lib/dns/tests/testdata/dstrandom
@@ -1618,11 +1621,15 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
-* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5.2
-- Correct regression preventing bind-dyndb-ldap build (#2130272)
+* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
+- Correct regression preventing bind-dyndb-ldap build (#2133889)
 
-* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5.1
-- Prevent freeing zone during statistics rendering (#2130272)
+* Thu Sep 29 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-7
+- Prevent excessive resource use while processing large delegations.
+  (CVE-2022-2795)
+
+* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-6
+- Prevent freeing zone during statistics rendering (#2101712)
 
 * Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5
 - Fix memory leak in ECDSA verify processing (CVE-2022-38177)