Rebuilt for BIND CVE-2024-1737 fixes (CVE-2024-1737)
New functions were added into database interface again. Adds setmaxrrperset and setmaxtypepername rbtdb wrappers into ldap database, which should enforce limits in correct databases. No ldap properties exist to customize that size at this moment however. Resolves: RHEL-49900
This commit is contained in:
parent
a1e0be6ad9
commit
8c04b03265
76
bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
Normal file
76
bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
From c7801fabb1597c4d4b18b21fcfcf6ab064040ba5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Wed, 7 Aug 2024 16:19:46 +0200
|
||||||
|
Subject: [PATCH] Detect presence of dns_zone_setmaxrrperset
|
||||||
|
|
||||||
|
Because it were backported into bind-9.16 branch by upstream and testing
|
||||||
|
of simpler variant fails in some cases. This assumes these call do not
|
||||||
|
appear only after 9.18.28, but may be backported into previous versions.
|
||||||
|
Tests just call presence and assumes dns_db_setmaxtypepername will be
|
||||||
|
present also.
|
||||||
|
---
|
||||||
|
configure.ac | 4 ++++
|
||||||
|
src/ldap_driver.c | 25 +++++++++++++++++++++++++
|
||||||
|
2 files changed, 29 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index faac214..b897c2b 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -137,6 +137,10 @@ AC_CHECK_LIB([dns], [dns_db_setservestalettl],
|
||||||
|
[AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])]
|
||||||
|
)
|
||||||
|
|
||||||
|
+AC_CHECK_LIB([dns], [dns_db_setmaxrrperset],
|
||||||
|
+ [AC_DEFINE([HAVE_DNS_DB_SETMAXRRPERSET], 1, [Define if dns library provides dns_db_setmaxrrperset])]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
dnl Older autoconf (2.59, for example) doesn't define docdir
|
||||||
|
[[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}'
|
||||||
|
AC_SUBST([docdir])
|
||||||
|
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
|
||||||
|
index 5f9e00a..29896d4 100644
|
||||||
|
--- a/src/ldap_driver.c
|
||||||
|
+++ b/src/ldap_driver.c
|
||||||
|
@@ -909,6 +909,27 @@ adjusthashsize(dns_db_t *db, size_t size) {
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#if HAVE_DNS_DB_SETMAXRRPERSET
|
||||||
|
+/* Calls added to fix CVE-2024-1737 in 9.18.28 */
|
||||||
|
+static void
|
||||||
|
+setmaxrrperset(dns_db_t *db, uint32_t value) {
|
||||||
|
+ ldapdb_t *ldapdb = (ldapdb_t *) db;
|
||||||
|
+
|
||||||
|
+ REQUIRE(VALID_LDAPDB(ldapdb));
|
||||||
|
+
|
||||||
|
+ return dns_db_setmaxrrperset(ldapdb->rbtdb, value);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+setmaxtypepername(dns_db_t *db, uint32_t value) {
|
||||||
|
+ ldapdb_t *ldapdb = (ldapdb_t *) db;
|
||||||
|
+
|
||||||
|
+ REQUIRE(VALID_LDAPDB(ldapdb));
|
||||||
|
+
|
||||||
|
+ return dns_db_setmaxtypepername(ldapdb->rbtdb, value);
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
static dns_dbmethods_t ldapdb_methods = {
|
||||||
|
attach,
|
||||||
|
detach,
|
||||||
|
@@ -969,6 +990,10 @@ static dns_dbmethods_t ldapdb_methods = {
|
||||||
|
#if LIBDNS_VERSION_MAJOR >= 1606
|
||||||
|
adjusthashsize, /* adjusthashsize */
|
||||||
|
#endif
|
||||||
|
+#if HAVE_DNS_DB_SETMAXRRPERSET
|
||||||
|
+ setmaxrrperset, /* setmaxrrperset */
|
||||||
|
+ setmaxtypepername, /* setmaxtypepername */
|
||||||
|
+#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
isc_result_t ATTR_NONNULLS
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -12,7 +12,7 @@
|
|||||||
|
|
||||||
Name: bind-dyndb-ldap
|
Name: bind-dyndb-ldap
|
||||||
Version: 11.9
|
Version: 11.9
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
Summary: LDAP back-end plug-in for BIND
|
Summary: LDAP back-end plug-in for BIND
|
||||||
|
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
@ -24,6 +24,8 @@ Patch1: bind-dyndb-ldap-11.9-bind-9.16.17.patch
|
|||||||
Patch2: 0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
|
Patch2: 0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
|
||||||
# https://pagure.io/bind-dyndb-ldap/pull-request/229
|
# https://pagure.io/bind-dyndb-ldap/pull-request/229
|
||||||
Patch3: https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
|
Patch3: https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
|
||||||
|
# https://pagure.io/bind-dyndb-ldap/pull-request/235
|
||||||
|
Patch4: bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
|
||||||
|
|
||||||
BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
|
BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
@ -119,6 +121,9 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 11.9-10
|
||||||
|
- Rebuilt for BIND CVE-2024-1737 fixes (CVE-2024-1737)
|
||||||
|
|
||||||
* Thu Feb 22 2024 Petr Menšík <pemensik@redhat.com> - 11.9-9
|
* Thu Feb 22 2024 Petr Menšík <pemensik@redhat.com> - 11.9-9
|
||||||
- Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387)
|
- Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user