import bind-9.11.36-8.el8

This commit is contained in:
CentOS Sources 2023-05-16 06:15:16 +00:00 committed by Stepan Oksanichenko
parent 12f00745d8
commit d6121a1d3f
2 changed files with 73 additions and 5 deletions

View File

@ -0,0 +1,61 @@
From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 8 Sep 2022 11:11:30 +0200
Subject: [PATCH] Bound the amount of work performed for delegations
Limit the amount of database lookups that can be triggered in
fctx_getaddresses() (i.e. when determining the name server addresses to
query next) by setting a hard limit on the number of NS RRs processed
for any delegation encountered. Without any limit in place, named can
be forced to perform large amounts of database lookups per each query
received, which severely impacts resolver performance.
The limit used (20) is an arbitrary value that is considered to be big
enough for any sane DNS delegation.
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8)
---
lib/dns/resolver.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 8ae9a993bb..ac9a9ef5d0 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -180,6 +180,12 @@
*/
#define NS_FAIL_LIMIT 4
#define NS_RR_LIMIT 5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
/* Number of hash buckets for zone counters */
#ifndef RES_DOMAIN_BUCKETS
@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
bool need_alternate = false;
bool all_spilled = true;
unsigned int no_addresses = 0;
+ unsigned int ns_processed = 0;
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
+
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
+ result = ISC_R_NOMORE;
+ break;
+ }
}
if (result != ISC_R_NOMORE) {
return (result);
--
2.37.3

View File

@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.36
Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2
Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -164,6 +164,8 @@ Patch188: bind-9.16-CVE-2022-38177.patch
Patch189: bind-9.16-CVE-2022-38178.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695
Patch190: bind-9.11-rh2101712.patch
Patch191: bind-9.11-CVE-2022-2795.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376
Patch192: bind-9.11-rh2133889.patch
# SDB patches
@ -565,6 +567,7 @@ are used for building ISC DHCP.
%patch188 -p1 -b .CVE-2022-38177
%patch189 -p1 -b .CVE-2022-38178
%patch190 -p1 -b .rh2101712
%patch191 -p1 -b .CVE-2022-2795
%patch192 -p1 -b .rh2133889
mkdir lib/dns/tests/testdata/dstrandom
@ -1618,11 +1621,15 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5.2
- Correct regression preventing bind-dyndb-ldap build (#2130272)
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
- Correct regression preventing bind-dyndb-ldap build (#2133889)
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5.1
- Prevent freeing zone during statistics rendering (#2130272)
* Thu Sep 29 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-7
- Prevent excessive resource use while processing large delegations.
(CVE-2022-2795)
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-6
- Prevent freeing zone during statistics rendering (#2101712)
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)