rpms/bind
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Fix regression in upstream CVE-2025-8677 fix

Browse Source 
https://gitlab.isc.org/isc-projects/bind9/-/issues/5570

Resolves: RHEL-123307
This commit is contained in:
Petr Menšík 2025-10-31 17:47:07 +01:00
parent b95db954bc
commit 5244b44cf3
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
bind-9.20-CVE-2025-8677-dual-signing.patch Normal file
View File

@ -0,0 +1,36 @@
From 5126c74ec19f56294cbfdc312f75778d8f249e59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 3 Nov 2025 22:03:54 +0100
Subject: [PATCH] Do not abort key search on unsupported algorithm
When supported and unsupported algorithm rrsig is present, some keys may
return unsupported algorithm error. Continue to next key without
counting this to validation failures.
(cherry picked from commit 38ddff3336e08983a4c0b5f3ea4eb35bb0f6ac81)
---
lib/dns/validator.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 15e177e4d7..a9db844c27 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1163,7 +1163,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
goto done;
}
dst_key_free(&val->key);
- } else {
+ } else if (result != DST_R_UNSUPPORTEDALG) {
+ /* Unsupported alg happens when RRset is signed by both
+ * supported and unsupported alg. */
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "select_signing_key alg %d keyid %d: %s",
+ siginfo->algorithm, siginfo->keyid,
+ isc_result_totext(result));
break;
}
dns_rdata_reset(&rdata);
--
2.51.1

7
bind.spec
View File

@ -80,7 +80,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
# Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it.
# Updating just bind will cause freeipa-dns-server package to be uninstallable.
Version: 9.18.33
Release: 12%{?dist}
Release: 13%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -152,6 +152,8 @@ Patch223: bind-9.18-CVE-2025-8677.patch
Patch224: bind-9.18-CVE-2025-40778.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/8330b49fb90bfeae14b47b7983e9459cc2bbaffe
Patch225: bind-9.18-CVE-2025-40780.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11194
Patch226: bind-9.20-CVE-2025-8677-dual-signing.patch
%{?systemd_ordering}
# https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
@ -951,6 +953,9 @@ fi;
%endif
%changelog
* Fri Oct 31 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.33-13
- Fix upstream reported regression in recent CVE fix (CVE-2025-8677)
* Thu Oct 23 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.33-12
- Refuse malformed DNSKEY records (CVE-2025-8677)
- Address various spoofing attacks (CVE-2025-40778)