import bind-9.11.36-8.el8
This commit is contained in:
parent
12f00745d8
commit
d6121a1d3f
61
SOURCES/bind-9.11-CVE-2022-2795.patch
Normal file
61
SOURCES/bind-9.11-CVE-2022-2795.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
||||
Subject: [PATCH] Bound the amount of work performed for delegations
|
||||
|
||||
Limit the amount of database lookups that can be triggered in
|
||||
fctx_getaddresses() (i.e. when determining the name server addresses to
|
||||
query next) by setting a hard limit on the number of NS RRs processed
|
||||
for any delegation encountered. Without any limit in place, named can
|
||||
be forced to perform large amounts of database lookups per each query
|
||||
received, which severely impacts resolver performance.
|
||||
|
||||
The limit used (20) is an arbitrary value that is considered to be big
|
||||
enough for any sane DNS delegation.
|
||||
|
||||
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
||||
(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8)
|
||||
---
|
||||
lib/dns/resolver.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 8ae9a993bb..ac9a9ef5d0 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -180,6 +180,12 @@
|
||||
*/
|
||||
#define NS_FAIL_LIMIT 4
|
||||
#define NS_RR_LIMIT 5
|
||||
+/*
|
||||
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
||||
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
||||
+ * large delegations.
|
||||
+ */
|
||||
+#define NS_PROCESSING_LIMIT 20
|
||||
|
||||
/* Number of hash buckets for zone counters */
|
||||
#ifndef RES_DOMAIN_BUCKETS
|
||||
@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
bool need_alternate = false;
|
||||
bool all_spilled = true;
|
||||
unsigned int no_addresses = 0;
|
||||
+ unsigned int ns_processed = 0;
|
||||
|
||||
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||
|
||||
@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdata_freestruct(&ns);
|
||||
+
|
||||
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
||||
+ result = ISC_R_NOMORE;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
if (result != ISC_R_NOMORE) {
|
||||
return (result);
|
||||
--
|
||||
2.37.3
|
||||
|
@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.11.36
|
||||
Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2
|
||||
Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -164,6 +164,8 @@ Patch188: bind-9.16-CVE-2022-38177.patch
|
||||
Patch189: bind-9.16-CVE-2022-38178.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695
|
||||
Patch190: bind-9.11-rh2101712.patch
|
||||
Patch191: bind-9.11-CVE-2022-2795.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376
|
||||
Patch192: bind-9.11-rh2133889.patch
|
||||
|
||||
# SDB patches
|
||||
@ -565,6 +567,7 @@ are used for building ISC DHCP.
|
||||
%patch188 -p1 -b .CVE-2022-38177
|
||||
%patch189 -p1 -b .CVE-2022-38178
|
||||
%patch190 -p1 -b .rh2101712
|
||||
%patch191 -p1 -b .CVE-2022-2795
|
||||
%patch192 -p1 -b .rh2133889
|
||||
|
||||
mkdir lib/dns/tests/testdata/dstrandom
|
||||
@ -1618,11 +1621,15 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5.2
|
||||
- Correct regression preventing bind-dyndb-ldap build (#2130272)
|
||||
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
|
||||
- Correct regression preventing bind-dyndb-ldap build (#2133889)
|
||||
|
||||
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5.1
|
||||
- Prevent freeing zone during statistics rendering (#2130272)
|
||||
* Thu Sep 29 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-7
|
||||
- Prevent excessive resource use while processing large delegations.
|
||||
(CVE-2022-2795)
|
||||
|
||||
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-6
|
||||
- Prevent freeing zone during statistics rendering (#2101712)
|
||||
|
||||
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5
|
||||
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)
|
||||
|
Loading…
Reference in New Issue
Block a user