Prevent assertion failure if DNS64 and serve-stale is used
Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. 6317. [security] Restore DNS64 state when handling a serve-stale timeout. (CVE-2023-5679) [GL #4334] Resolves: RHEL-25364 ; Resolves: CVE-2023-5679
This commit is contained in:
Petr Menšík
parent
e09e829119
commit
e51b6b2b70
37
bind-9.16-CVE-2023-5679.patch
Normal file
37
bind-9.16-CVE-2023-5679.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Mon, 12 Feb 2024 20:41:43 +0100
|
||||
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used
|
||||
|
||||
Enabling both DNS64 and serve-stale may cause an assertion failure
|
||||
during recursive resolution.
|
||||
|
||||
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
|
||||
(CVE-2023-5679) [GL #4334]
|
||||
|
||||
Resolves: CVE-2023-5679
|
||||
---
|
||||
lib/ns/query.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||
index cc1d179..1993800 100644
|
||||
--- a/lib/ns/query.c
|
||||
+++ b/lib/ns/query.c
|
||||
@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
|
||||
query_ctx_t qctx;
|
||||
|
||||
qctx_init(client, NULL, client->query.qtype, &qctx);
|
||||
+ if (DNS64(client)) {
|
||||
+ qctx.qtype = qctx.type = dns_rdatatype_a;
|
||||
+ qctx.dns64 = true;
|
||||
+ }
|
||||
+ if (DNS64EXCLUDE(client)) {
|
||||
+ qctx.dns64_exclude = true;
|
||||
+ }
|
||||
dns_db_attach(client->view->cachedb, &qctx.db);
|
||||
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
|
||||
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -137,6 +137,7 @@ Patch192: bind-9.16-CVE-2023-3341.patch
|
||||
Patch193: bind-9.16-update-b.root-servers.net.patch
|
||||
Patch194: bind-9.16-CVE-2023-4408.patch
|
||||
Patch195: bind-9.16-CVE-2023-5517.patch
|
||||
Patch196: bind-9.16-CVE-2023-5679.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -460,6 +461,7 @@ in HTML and PDF format.
|
||||
%patch193 -p1 -b .b.root-servers.net
|
||||
%patch194 -p1 -b .CVE-2023-4408
|
||||
%patch195 -p1 -b .CVE-2023-5517
|
||||
%patch196 -p1 -b .CVE-2023-5679
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1187,6 +1189,7 @@ fi;
|
||||
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
|
||||
- Prevent assertion failure when nxdomain-redirect is used with
|
||||
RFC 1918 reverse zones (CVE-2023-5517)
|
||||
- Prevent assertion failure if DNS64 and serve-stale is used (CVE-2023-5679)
|
||||
|
||||
* Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15
|
||||
- Update addresses of b.root-servers.net (RHEL-18188)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user