rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Prevent assertion failure if DNS64 and serve-stale is used

Browse Source 
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.

6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
			(CVE-2023-5679) [GL #4334]

Resolves: RHEL-25364
; Resolves: CVE-2023-5679
This commit is contained in:
Petr Menšík 2024-02-12 20:57:02 +01:00
parent e09e829119
commit e51b6b2b70
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
bind-9.16-CVE-2023-5679.patch Normal file
View File

@ -0,0 +1,37 @@
From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 20:41:43 +0100
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
Resolves: CVE-2023-5679
---
lib/ns/query.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index cc1d179..1993800 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
query_ctx_t qctx;
qctx_init(client, NULL, client->query.qtype, &qctx);
+ if (DNS64(client)) {
+ qctx.qtype = qctx.type = dns_rdatatype_a;
+ qctx.dns64 = true;
+ }
+ if (DNS64EXCLUDE(client)) {
+ qctx.dns64_exclude = true;
+ }
dns_db_attach(client->view->cachedb, &qctx.db);
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
--
2.43.0

3
bind.spec
View File

@ -137,6 +137,7 @@ Patch192: bind-9.16-CVE-2023-3341.patch
Patch193: bind-9.16-update-b.root-servers.net.patch Patch193: bind-9.16-update-b.root-servers.net.patch
Patch194: bind-9.16-CVE-2023-4408.patch Patch194: bind-9.16-CVE-2023-4408.patch
Patch195: bind-9.16-CVE-2023-5517.patch Patch195: bind-9.16-CVE-2023-5517.patch
Patch196: bind-9.16-CVE-2023-5679.patch
%{?systemd_ordering} %{?systemd_ordering}
Requires: coreutils Requires: coreutils
@ -460,6 +461,7 @@ in HTML and PDF format.
%patch193 -p1 -b .b.root-servers.net %patch193 -p1 -b .b.root-servers.net
%patch194 -p1 -b .CVE-2023-4408 %patch194 -p1 -b .CVE-2023-4408
%patch195 -p1 -b .CVE-2023-5517 %patch195 -p1 -b .CVE-2023-5517
%patch196 -p1 -b .CVE-2023-5679
%if %{with PKCS11} %if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11 %patch135 -p1 -b .config-pkcs11
@ -1187,6 +1189,7 @@ fi;
- Prevent increased CPU load on large DNS messages (CVE-2023-4408) - Prevent increased CPU load on large DNS messages (CVE-2023-4408)
- Prevent assertion failure when nxdomain-redirect is used with - Prevent assertion failure when nxdomain-redirect is used with
RFC 1918 reverse zones (CVE-2023-5517) RFC 1918 reverse zones (CVE-2023-5517)
- Prevent assertion failure if DNS64 and serve-stale is used (CVE-2023-5679)
* Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15 * Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15
- Update addresses of b.root-servers.net (RHEL-18188) - Update addresses of b.root-servers.net (RHEL-18188)