Commit Graph

1 Commits

Author SHA1 Message Date
Petr Menšík
b395b32cb5 [9.16] [CVE-2026-5946] sec: usr: Disable recursion, UPDATE, and NOTIFY for non-IN views
Recursion, dynamic updates (UPDATE), and zone change notifications
(NOTIFY) are now disabled for views with a class other than IN
(such as CHAOS or HESIOD); authoritative service for non-IN zones
(e.g. version.bind in class CHAOS) continues to work as before.
Servers configured with recursion yes in a non-IN view will log a
warning at startup, and named-checkconf flags the same condition.
UPDATE and NOTIFY messages that specify the meta-classes ANY or NONE
in the question section are now rejected with FORMERR.

This addresses a set of closely related security issues collectively
identified as CVE-2026-5946. ISC would like to thank Mcsky23 for
bringing these issues to our attention.

[9.16] fix: dev: Pass empty string instead of NULL to ns_client_dumpmessage()

Pass "" instead of NULL to ns_client_dumpmessage() to get the log message printed.

Resolves-Vulnerability: CVE-2026-5946
Resolves: RHEL-177764
2026-06-24 14:56:58 +02:00