33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001
|
|
From: Petr Mensik <pemensik@redhat.com>
|
|
Date: Tue, 18 Aug 2020 10:55:50 +0200
|
|
Subject: [PATCH] Fix CVE-2020-8624
|
|
|
|
5481. [security] "update-policy" rules of type "subdomain" were
|
|
incorrectly treated as "zonesub" rules, which allowed
|
|
keys used in "subdomain" rules to update names outside
|
|
of the specified subdomains. The problem was fixed by
|
|
making sure "subdomain" rules are again processed as
|
|
described in the ARM. (CVE-2020-8624) [GL #2055]
|
|
---
|
|
bin/named/zoneconf.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
|
|
index 55f191b..b77a07c 100644
|
|
--- a/bin/named/zoneconf.c
|
|
+++ b/bin/named/zoneconf.c
|
|
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
|
|
|
str = cfg_obj_asstring(matchtype);
|
|
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
|
- if (mtype == dns_ssumatchtype_subdomain) {
|
|
+ if (mtype == dns_ssumatchtype_subdomain &&
|
|
+ strcasecmp(str, "zonesub") == 0) {
|
|
usezone = true;
|
|
}
|
|
|
|
--
|
|
2.26.2
|
|
|