Add tests for forwarder cache poisoning scenarios
- Check that an NS in an authority section returned from a forwarder which is above the name in a configured "forward first" or "forward only" zone (i.e., net/NS in a response from a forwarder configured for local.net) is not cached. - Test that a DNAME for a parent domain will not be cached when sent in a response from a forwarder configured to answer for a child. - Check that glue is rejected if its name falls below that of zone configured locally. - Check that an extra out-of-bailiwick data in the answer section is not cached (this was already working correctly, but was not explicitly tested before). Related: CVE-2021-25220
This commit is contained in:
Petr Menšík
parent
68bb3ef214
commit
4cefc72f11
1144
bind-9.16-CVE-2021-25220-test.patch
Normal file
1144
bind-9.16-CVE-2021-25220-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -104,6 +104,7 @@ Patch171:bind-9.11-tests-variants.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987
|
||||
Patch172:bind-9.16-CVE-2022-0396.patch
|
||||
Patch173:bind-9.16-CVE-2021-25220.patch
|
||||
Patch174:bind-9.16-CVE-2021-25220-test.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -406,6 +407,7 @@ in HTML and PDF format.
|
||||
%patch171 -p1 -b .test-variant
|
||||
%patch172 -p1 -b .CVE-2022-0396
|
||||
%patch173 -p1 -b .CVE-2021-25220
|
||||
%patch174 -p1 -b .CVE-2021-25220-test
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1130,6 +1132,7 @@ fi;
|
||||
%changelog
|
||||
* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
|
||||
- Tighten cache protection against record from forwarders (CVE-2021-25220)
|
||||
- Include test of forwarders
|
||||
|
||||
* Fri Mar 25 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-2
|
||||
- TCP connections with 'keep-response-order' are properly close in all cases
|
||||
|
||||
Loading…
Reference in New Issue
Block a user