import UBI bind-9.16.23-29.el9_6
This commit is contained in:
parent
b7d155151e
commit
eeaa229f36
90
SOURCES/bind-9.18-query-fname-relative.patch
Normal file
90
SOURCES/bind-9.18-query-fname-relative.patch
Normal file
@ -0,0 +1,90 @@
|
||||
From 5bc7cd7a7b9c37e5c70ccf74c5485a02411aaef5 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 25 Apr 2025 02:00:00 +0200
|
||||
Subject: [PATCH] Insert additional checks ensuring name is not relative
|
||||
|
||||
Mitigation for crashes put in various places, where obviously relative
|
||||
uninitialized name must not appear. This seems unnecessary once true
|
||||
cause were identified, but may prevent similar places.
|
||||
---
|
||||
lib/ns/query.c | 35 +++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 35 insertions(+)
|
||||
|
||||
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||
index 11d2520..7e8a4d2 100644
|
||||
--- a/lib/ns/query.c
|
||||
+++ b/lib/ns/query.c
|
||||
@@ -2203,6 +2203,20 @@ regular:
|
||||
CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
|
||||
}
|
||||
|
||||
+static void
|
||||
+log_query_relative(query_ctx_t *qctx, const char *func, const dns_name_t *name) {
|
||||
+ if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) {
|
||||
+ char namebuf[DNS_NAME_FORMATSIZE] = "!";
|
||||
+ dns_name_format(name, namebuf, sizeof(namebuf));
|
||||
+ ns_client_log(
|
||||
+ qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
|
||||
+ ISC_LOG_DEBUG(1),
|
||||
+ "%s: fname=%s leading to relative name, aborting query.",
|
||||
+ func, namebuf
|
||||
+ );
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void
|
||||
query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
|
||||
dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
|
||||
@@ -2275,6 +2289,11 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
|
||||
client->query.attributes &= ~NS_QUERYATTR_SECURE;
|
||||
}
|
||||
|
||||
+ if (!qctx->is_zone && mname && !dns_name_isabsolute(mname)) {
|
||||
+ log_query_relative(qctx, "query_addrrset", mname);
|
||||
+ QUERY_ERROR(qctx, DNS_R_SERVFAIL);
|
||||
+ return;
|
||||
+ }
|
||||
/*
|
||||
* Update message name, set rdataset order, and do additional
|
||||
* section processing if needed.
|
||||
@@ -8074,6 +8093,11 @@ query_respond_any(query_ctx_t *qctx) {
|
||||
: qctx->tname;
|
||||
query_prefetch(qctx->client, name,
|
||||
qctx->rdataset);
|
||||
+ if (name && !dns_name_isabsolute(name)) {
|
||||
+ log_query_relative(qctx, "query_respond_any", name);
|
||||
+ result = DNS_R_DROP;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -10696,6 +10720,11 @@ query_cname(query_ctx_t *qctx) {
|
||||
|
||||
if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
|
||||
query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
|
||||
+ if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
|
||||
+ log_query_relative(qctx, "query_cname", qctx->fname);
|
||||
+ QUERY_ERROR(qctx, DNS_R_SERVFAIL);
|
||||
+ return (ns_query_done(qctx));
|
||||
+ }
|
||||
}
|
||||
|
||||
query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
|
||||
@@ -10801,7 +10830,13 @@ query_dname(query_ctx_t *qctx) {
|
||||
|
||||
if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
|
||||
query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
|
||||
+ if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
|
||||
+ log_query_relative(qctx, "query_dname", qctx->fname);
|
||||
+ QUERY_ERROR(qctx, DNS_R_SERVFAIL);
|
||||
+ return (ns_query_done(qctx));
|
||||
+ }
|
||||
}
|
||||
+
|
||||
query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
|
||||
qctx->dbuf, DNS_SECTION_ANSWER);
|
||||
|
||||
--
|
||||
2.49.0
|
||||
|
44
SOURCES/bind-9.21-resume-qmin-cname.patch
Normal file
44
SOURCES/bind-9.21-resume-qmin-cname.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From dc97bfa842b9f0d59db075bdcade599f3767f1ba Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 3 Jun 2025 21:00:58 +0200
|
||||
Subject: [PATCH] Handle CNAME and DNAME in resume_min in a special way
|
||||
|
||||
When authoritative zone is loaded when query minimization query for the
|
||||
same zone is already pending, it might receive unexpected result codes.
|
||||
|
||||
Normally DNS_R_CNAME would follow to query_cname after processing sent
|
||||
events, but dns_view_findzonecut does not fill CNAME target into
|
||||
event->foundevent. Usual lookup via query_lookup would always have that
|
||||
filled.
|
||||
|
||||
Ideally we would restart the query with unmodified search name, if
|
||||
unexpected change from recursing to local zone cut were detected. Until
|
||||
dns_view_findzonecut is modified to export zone/cache source of the cut,
|
||||
at least fail queries which went into unexpected state.
|
||||
---
|
||||
lib/dns/resolver.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index be1d735..ad0a1b8 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -4508,6 +4508,15 @@ resume_qmin(isc_task_t *task, isc_event_t *event) {
|
||||
if (result == DNS_R_NXDOMAIN) {
|
||||
result = DNS_R_SERVFAIL;
|
||||
}
|
||||
+ /*
|
||||
+ * CNAME or DNAME means zone were added with that record
|
||||
+ * after the start of query minimization queries. It means
|
||||
+ * we do not have initialized correct hevent->foundname
|
||||
+ * and have to fail.
|
||||
+ */
|
||||
+ if (result == DNS_R_CNAME || result == DNS_R_DNAME) {
|
||||
+ result = DNS_R_SERVFAIL;
|
||||
+ }
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
fctx_done(fctx, result, __LINE__);
|
||||
--
|
||||
2.49.0
|
||||
|
@ -56,7 +56,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.16.23
|
||||
Release: 28%{?dist}
|
||||
Release: 29%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -179,6 +179,12 @@ Patch214: bind-9.16-CVE-2024-1737-records-test2.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
|
||||
Patch215: bind-9.18-CVE-2024-11187-pre-test.patch
|
||||
Patch216: bind-9.18-CVE-2024-11187.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10562
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
|
||||
# downstream patch fixing bind-dyndb-ldap causing issue
|
||||
Patch217: bind-9.21-resume-qmin-cname.patch
|
||||
# downstream only, extra check for above change, RHEL-30407
|
||||
Patch218: bind-9.18-query-fname-relative.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -1223,6 +1229,10 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 10 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.23-29
|
||||
- Prevent name.c:670 attributes assertion failed (RHEL-30407)
|
||||
- Add extra checks for relative names
|
||||
|
||||
* Sat Feb 15 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-28
|
||||
- Fix test backport changes
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user