Commit Graph

81 Commits

Author SHA1 Message Date
Petr Menšík
152329ccea Bump version above RHEL 9.5
RHEL 9.5 build did not use z-stream rightmost bump. Make sure 9.6 has
higher version.

Resolves: RHEL-49900
2024-09-06 14:14:59 +02:00
Petr Menšík
585cc3f41a Minor fix of reclimit test backport
Fix local rebuilds on Fedora. BIND 9.16 does not work well with fortify
source level 3. Fix also DEFAULT_HMAC not properly set in tests, failing
reclimit test. That was issue only of backport.

Resolves: RHEL-49900
2024-08-27 22:33:14 +02:00
Petr Menšík
9f14cef3c2 Properly test also gsstsig upstream test
Disabled by mistake by downstream patch.

Related: RHEL-49900
2024-08-27 22:33:06 +02:00
Petr Menšík
45d01dade1 [9.16] chg: usr: Backport max-types-per-name to BIND 9.16
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.

Merge branch 'ondrej/max-types-per-rr-backport-9.16' into 'bind-9.16'

See merge request isc-projects/bind9!9178

Resolves: RHEL-49900
2024-08-27 22:32:58 +02:00
Petr Menšík
979a7d3a93 [9.16] chg: usr: Backport max-records-per-type to BIND 9.16
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.

Merge branch 'ondrej/max-records-per-type-backport-9.16' into 'bind-9.16'

See merge request isc-projects/bind9!9177

Remove also custom environment feature, which is not necessary with
proper config options backported.

Increase rightmost version to become higher than _4 suffix.

Resolves: RHEL-49900
2024-08-27 22:32:42 +02:00
Petr Menšík
7d262e3039 Allow runtime customization of CVE-2024-1737 limits
Do not introduce new options into configuration file. But if limits are
hit in unexpected way, allow tuning them by environment variables
DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of
maximum records of types. Both defaults to 100.

These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.

Related: RHEL-49900
2024-08-27 22:32:21 +02:00
Petr Menšík
6a3f81b6a8 Resolve CVE-2024-4076
6403.	[security]	qctx-zversion was not being cleared when it should have
			been leading to an assertion failure if it needed to be
			reused. (CVE-2024-4076) [GL #4507]

Resolves: RHEL-49940
2024-08-27 22:30:26 +02:00
Petr Menšík
809898a212 Resolve CVE-2024-1737
6400.	[security]	Excessively large rdatasets can slow down database
			query processing, so a limit has been placed on the
			number of records that can be stored per rdataset
			in a cache or zone database. This is configured
			with the new "max-records-per-type" option, and
			defaults to 100. (CVE-2024-1737)
			[GL #497] [GL #3405]

6401.	[security]	An excessively large number of rrtypes per owner can
			slow down database query processing, so a limit has been
			placed on the number of rrtypes that can be stored per
			owner (node) in a cache or zone database. This is
			configured with the new "max-rrtypes-per-name" option,
			and defaults to 100. (CVE-2024-1737)
			[GL #3403] [GL #4548]

Does not change db methods like 9.18 fix. It makes limits set at build
time and fixed numbers, but does not need adjusting db interface to set
new limits.

Resolves: RHEL-49900
2024-08-27 22:29:25 +02:00
Petr Menšík
ad377f82ce Resolve CVE-2024-1975
6404.	[security]	Remove SIG(0) support from named as a countermeasure
			for CVE-2024-1975. [GL #4480]

Resolves: RHEL-50350
2024-08-27 22:27:20 +02:00
Petr Menšík
1cd66a1c12 Increase size of hazard pointer array
Extends even more change Downstream specific changes related to KeyTrap,
which added safety guards into hazard pointers. Because it seems they
are not still enough. Add fixed base to accomodate common threads like
main app thread and ldap worker threads. Multiply one more, just to be
sure. We do not want to hit maximal limit again.

Resolves: RHEL-39131
2024-07-09 16:36:12 +02:00
Petr Menšík
f8826d54eb Ensure bind CVE fixes hits public Stream repository
Builds were made, but did not hit public repositories. Errata for RHEL
were done before these could be published, but we need another errata
just for CentOS Stream.

Resolves: RHEL-25130 RHEL-25132  RHEL-25162 RHEL-25166 RHEL-25169 RHEL-25173
2024-05-28 20:00:46 +02:00
Petr Menšík
86862fc8d8 Fixes of CVE-2023-50387 and CVE-2023-50868 caused ABI change
Enforce updated rebuild is accepted only, conflict with older builds

; Related: CVE-2023-50387 CVE-2023-50868
Related: RHEL-25397 RHEL-25386
2024-04-16 21:26:11 +02:00
Petr Menšík
c3e15c4a64 Stop crashes at masterformat system tests
Fix of CVE-2023-6516 has changed format of map file and masterformat has
started crashing. Adjust test values to pass cleanly.

Related: RHEL-25375
; Related: CVE-2023-6516
2024-03-26 12:05:32 +01:00
Petr Menšík
02426200e2 Downstream specific changes related to KeyTrap
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.

In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.

Resolves: RHEL-25386
; Resolves: CVE-2023-50387
2024-03-26 12:05:32 +01:00
Petr Menšík
650ecb34a1 Add mctx attach/detach when creating/destroying a memory pool
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.

Related: RHEL-25386
; Related: CVE-2023-50387
2024-03-26 12:05:32 +01:00
Petr Menšík
cfba145ce5 Define variables used for test variants
Patch171 introduces undefined variables, which may fail some tests.
Define them to empty values. Also required python3-dns with SYSTEMTEST
feature enabled.

Related: RHEL-25342
; Related: CVE-2023-4408
2024-03-26 12:05:32 +01:00
Petr Menšík
f8725ad962 Allow testing from more recent Fedora by skipping python rule
More recent python3 module ply does not accept statements used in
isc/policy.py, which generates parsetab.py. Allow to skip that target on
local only fedora builds.

Related: RHEL-25342
; Related: CVE-2023-4408
2024-03-26 12:05:32 +01:00
Petr Menšík
5dc319b2a8 Import tests for large DNS messages fix
Tests part of fixes of CVE-2023-4408.

Related: RHEL-25342
; Related: CVE-2023-4408
2024-03-26 12:05:32 +01:00
Petr Menšík
e919059dfa Prevent increased CPU consumption in DNSSEC validator
KeyTrap - Extreme CPU consumption in DNSSEC validator. Preparing an
NSEC3 closest encloser proof can exhaust CPU resources.

6322.	[security]	Specific DNS answers could cause a denial-of-service
			condition due to DNS validation taking a long time.
			(CVE-2023-50387) [GL #4424]

Resolves: RHEL-25397 RHEL-25386
; Resolves: CVE-2023-50387 CVE-2023-50868
2024-03-26 12:05:32 +01:00
Petr Menšík
2efe6d155b Specific recursive query patterns may lead to an out-of-memory condition
6319.	[security]	Query patterns that continuously triggered cache
			database maintenance could exhaust all available memory
			on the host running named. (CVE-2023-6516) [GL #4383]

Resolves: RHEL-25375
; Resolves: CVE-2023-6516
2024-03-26 12:05:32 +01:00
Petr Menšík
e51b6b2b70 Prevent assertion failure if DNS64 and serve-stale is used
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.

6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
			(CVE-2023-5679) [GL #4334]

Resolves: RHEL-25364
; Resolves: CVE-2023-5679
2024-03-26 12:05:32 +01:00
Petr Menšík
e09e829119 Prevent assertion failure when nxdomain-redirect is used with
RFC 1918 reverse zones

6316.	[security]	Specific queries could trigger an assertion check with
			nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]

Resolves: RHEL-25353
; Resolves: CVE-2023-5517
2024-03-26 12:05:32 +01:00
Petr Menšík
deeca182e3 Prevent increased CPU load on large DNS messages
6315.	[security]	Speed up parsing of DNS messages with many different
			names. (CVE-2023-4408) [GL #4234]
6321.	[security]	Change 6315 inadvertently introduced regressions that
			could cause named to crash. [GL #4234]
6343.	[bug]		Fix case insensitive setting for isc_ht hashtable.

Resolves: RHEL-25342
; Resolves: CVE-2023-4408
2024-03-26 12:05:22 +01:00
Petr Menšík
2b46612566 Update addresses of b.root-servers.net
https://b.root-servers.org/news/2023/05/16/new-addresses.html

Resolves: RHEL-18188
2023-12-07 15:20:38 +01:00
Petr Menšík
814f798219 Fix CVE-2023-3341
6245.	[security]	Limit the amount of recursion that can be performed
			by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]

Resolves: RHEL-5239
2023-09-20 13:22:16 +02:00
Petr Menšík
12f1cd3444 Fix CVE-2023-2911
6192.	[security]	A query that prioritizes stale data over lookup
			triggers a fetch to refresh the stale data in cache.
			If the fetch is aborted for exceeding the recursion
			quota, it was possible for 'named' to enter an infinite
			callback loop and crash due to stack overflow. This has
			been fixed. (CVE-2023-2911) [GL #4089]

Resolves: CVE-2023-2911
2023-07-19 18:24:02 +02:00
Petr Menšík
d6566b65ba Fix CVE-2023-2828
6190.	[security]	Improve the overmem cleaning process to prevent the
			cache going over the configured limit. (CVE-2023-2828)
			[GL #4055]

Resolves: CVE-2023-2828
2023-07-19 18:09:09 +02:00
Petr Menšík
889db13e6f fixup! Have dns_zt_apply lock the zone table
Correct the change to include important locks.
Correct backport issue in statistics rendering fix.

Resolves: rhbz#2126912
2023-02-27 14:44:05 +01:00
Petr Menšík
dc3f4d28ab Fix small differences to upstream patches
Some small differences went unnoticed and cause system test upforwd
failure. Fix both code change and test to pass.

Resolves: CVE-2022-3094
2023-02-25 03:10:37 +01:00
Petr Menšík
512b305b43 Fix crash when soft-quota is reached and serve-stale is active
6067.	[security]	Fix serve-stale crash when recursive clients soft quota
			is reached. (CVE-2022-3924) [GL #3619]

Resolves: CVE-2022-3924
2023-02-09 17:52:04 +01:00
Petr Menšík
288db36de7 Handle RRSIG queries when server-stale is active
6066.	[security]	Handle RRSIG lookups when serve-stale is active.
			(CVE-2022-3736) [GL #3622]

Resolves: CVE-2022-3736
2023-02-09 17:28:30 +01:00
Petr Menšík
495baa1377 test failure conditions
verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.

verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.

Related: CVE-2022-3094
2023-02-08 18:47:31 +01:00
Petr Menšík
a85d02f014 Prevent flooding with UPDATE requests
6064.	[security]	An UPDATE message flood could cause named to exhaust all
			available memory. This flaw was addressed by adding a
			new "update-quota" statement that controls the number of
			simultaneous UPDATE messages that can be processed or
			forwarded. The default is 100. A stats counter has been
			added to record events when the update quota is
			exceeded, and the XML and JSON statistics version
			numbers have been updated. (CVE-2022-3094) [GL #3523]

Resolves: CVE-2022-3094
2023-02-08 18:47:31 +01:00
Petr Menšík
ca0f46336e Add include to rwlocktype_t to dns/zt.h
It got broken as part of bug #2101712 fix. Introduced new definition,
which passes during bind build, but breaks bind-dyndb-ldap build.

Resolves: rhbz#2162795
2023-01-21 00:03:05 +01:00
Petr Menšík
5a8535ebc5 Have dns_zt_apply lock the zone table
There where a number of places where the zone table should have
been locked, but wasn't, when dns_zt_apply was called.

Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
all calls to using it.  Removed locks in callers.

Backported and modified upstream commit e5068a7e24d7ace5ed7e8fdd3ff789dcc4c10fe8

Resolves: rhbz#2101712
2022-11-10 11:21:26 +01:00
Petr Menšík
60ab1e48dc Add %_libdir/named to bind-chroot
That directory is referenced by /etc/bind-chroot.files, but is not part
of the package. Fix that.

Resolves: rhbz#2129466
2022-10-04 20:14:10 +02:00
Petr Menšík
1594280edc Bound the amount of work performed for delegations
5957.	[security]	Prevent excessive resource use while processing large
			delegations. (CVE-2022-2795) [GL #3394]

Resolves: CVE-2022-2795
2022-10-04 19:52:37 +02:00
Petr Menšík
7b05fe1bfb Fix CVE-2022-38178
5962.	[security]	Fix memory leak in EdDSA verify processing.
			(CVE-2022-38178) [GL #3487]

Resolves: CVE-2022-38178
2022-09-22 22:14:56 +02:00
Petr Menšík
55958c1edb Fix CVE-2022-38177
5961.	[security]	Fix memory leak in ECDSA verify processing.
			(CVE-2022-38177) [GL #3487]

Resolves: CVE-2022-38177
2022-09-22 22:14:56 +02:00
Petr Menšík
e69de99fb9 Fix CVE-2022-3080
5960.	[security]	Fix serve-stale crash that could happen when
			stale-answer-client-timeout was set to 0 and there was
			a stale CNAME in the cache for an incoming query.
			(CVE-2022-3080) [GL #3517]

Resolves: CVE-2022-3080
2022-09-22 22:14:55 +02:00
Petr Menšík
f05e2e34bd Export bind-doc package
ARM is useful resource and should be shipped also to customers.

Resolves: rhbz#2104863
2022-07-14 13:36:32 +02:00
Petr Menšík
4cefc72f11 Add tests for forwarder cache poisoning scenarios
- Check that an NS in an authority section returned from a forwarder
  which is above the name in a configured "forward first" or "forward
  only" zone (i.e., net/NS in a response from a forwarder configured for
  local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
  in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
  configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
  not cached (this was already working correctly, but was not explicitly
  tested before).

Related: CVE-2021-25220
2022-04-11 18:07:08 +02:00
Petr Menšík
68bb3ef214 Tighten cache protection against record from forwarders
5817.	[security]	The rules for acceptance of records into the cache
			have been tightened to prevent the possibility of
			poisoning if forwarders send records outside
			the configured bailiwick. (CVE-2021-25220) [GL #2950]

Resolves: CVE-2021-25220
2022-04-11 18:00:59 +02:00
Petr Menšík
021aeeed38 [CVE-2022-0396] Resolve #3112 TCP sockets stuck in CLOSE_WAIT
5818.	[security]	A synchronous call to closehandle_cb() caused
			isc__nm_process_sock_buffer() to be called recursively,
			which in turn left TCP connections hanging in the
			CLOSE_WAIT state blocking indefinitely when
			out-of-order processing was disabled. (CVE-2022-0396)
			[GL #3112]

Resolves: CVE-2022-0396
2022-03-25 21:03:37 +01:00
Petr Menšík
f35b435d1d Remove merged changes and update changed patch
Adjust downstream patches to changes made upstream.

Resolves: rhbz#2019573
2021-11-23 11:27:00 +01:00
Petr Menšík
befd906113 Update 9.16.23
Reloading a catalog zone which referenced a missing/deleted member zone
triggered a runtime check failure, causing named to exit prematurely.
This has been fixed. [GL #2308]

https://downloads.isc.org/isc/bind9/9.16.23/doc/arm/html/notes.html#notes-for-bind-9-16-23

Resolves: rhbz#2019573 CVE-2021-25219
2021-11-23 11:26:51 +01:00
Petr Menšík
5c9da7c5f9 Propagate system emphemeral ports to chroot
BIND reads default system port ranges from /proc file. Propagate just
that single file to bind chroot. Defaults should be therefore the same
as on named.service.

Resolves: rhbz#2013595
2021-10-13 12:27:59 +02:00
Petr Menšík
31b69a221c Remove the code to adjust listening interfaces for *-source-v6
Previously, named would run with a configuration where *-source-v6 (notify-source-v6,
transfer-source-v6 and query-source-v6) address and port could be simultaneously used
for listening. This is no longer true for BIND 9.16+ and the code that would do
interface adjustments would unexpectedly disable listening on TCP for such interfaces.

Resolves: rhbz#1999691
2021-10-12 13:32:02 +02:00
Petr Menšík
74c48aefdf Ensure return codes make it into generated dig manual
It seems patched version were not catched by build dependencies. Change
include modification to propagate it.

Resolves: rhbz#1989909
2021-10-12 12:55:14 +02:00
Petr Menšík
579299f7df Update gating for RHEL9 2021-08-26 12:45:34 +02:00