Do not introduce new options into configuration file. But if limits are
hit in unexpected way, allow tuning them by environment variables
DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of
maximum records of types. Both defaults to 100.
These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.
Related: RHEL-49900
6403. [security] qctx-zversion was not being cleared when it should have
been leading to an assertion failure if it needed to be
reused. (CVE-2024-4076) [GL #4507]
Resolves: RHEL-49940
6400. [security] Excessively large rdatasets can slow down database
query processing, so a limit has been placed on the
number of records that can be stored per rdataset
in a cache or zone database. This is configured
with the new "max-records-per-type" option, and
defaults to 100. (CVE-2024-1737)
[GL #497] [GL #3405]
6401. [security] An excessively large number of rrtypes per owner can
slow down database query processing, so a limit has been
placed on the number of rrtypes that can be stored per
owner (node) in a cache or zone database. This is
configured with the new "max-rrtypes-per-name" option,
and defaults to 100. (CVE-2024-1737)
[GL #3403] [GL #4548]
Does not change db methods like 9.18 fix. It makes limits set at build
time and fixed numbers, but does not need adjusting db interface to set
new limits.
Resolves: RHEL-49900
Extends even more change Downstream specific changes related to KeyTrap,
which added safety guards into hazard pointers. Because it seems they
are not still enough. Add fixed base to accomodate common threads like
main app thread and ldap worker threads. Multiply one more, just to be
sure. We do not want to hit maximal limit again.
Resolves: RHEL-39131
Builds were made, but did not hit public repositories. Errata for RHEL
were done before these could be published, but we need another errata
just for CentOS Stream.
Resolves: RHEL-25130 RHEL-25132 RHEL-25162 RHEL-25166 RHEL-25169 RHEL-25173
Fix of CVE-2023-6516 has changed format of map file and masterformat has
started crashing. Adjust test values to pass cleanly.
Related: RHEL-25375
; Related: CVE-2023-6516
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.
In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.
Resolves: RHEL-25386
; Resolves: CVE-2023-50387
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.
Related: RHEL-25386
; Related: CVE-2023-50387
Patch171 introduces undefined variables, which may fail some tests.
Define them to empty values. Also required python3-dns with SYSTEMTEST
feature enabled.
Related: RHEL-25342
; Related: CVE-2023-4408
More recent python3 module ply does not accept statements used in
isc/policy.py, which generates parsetab.py. Allow to skip that target on
local only fedora builds.
Related: RHEL-25342
; Related: CVE-2023-4408
KeyTrap - Extreme CPU consumption in DNSSEC validator. Preparing an
NSEC3 closest encloser proof can exhaust CPU resources.
6322. [security] Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
Resolves: RHEL-25397 RHEL-25386
; Resolves: CVE-2023-50387 CVE-2023-50868
6319. [security] Query patterns that continuously triggered cache
database maintenance could exhaust all available memory
on the host running named. (CVE-2023-6516) [GL #4383]
Resolves: RHEL-25375
; Resolves: CVE-2023-6516
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
Resolves: RHEL-25364
; Resolves: CVE-2023-5679
RFC 1918 reverse zones
6316. [security] Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
Resolves: RHEL-25353
; Resolves: CVE-2023-5517
6315. [security] Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234]
6321. [security] Change 6315 inadvertently introduced regressions that
could cause named to crash. [GL #4234]
6343. [bug] Fix case insensitive setting for isc_ht hashtable.
Resolves: RHEL-25342
; Resolves: CVE-2023-4408
6192. [security] A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache.
If the fetch is aborted for exceeding the recursion
quota, it was possible for 'named' to enter an infinite
callback loop and crash due to stack overflow. This has
been fixed. (CVE-2023-2911) [GL #4089]
Resolves: CVE-2023-2911
6190. [security] Improve the overmem cleaning process to prevent the
cache going over the configured limit. (CVE-2023-2828)
[GL #4055]
Resolves: CVE-2023-2828
verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.
verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.
Related: CVE-2022-3094
6064. [security] An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated. (CVE-2022-3094) [GL #3523]
Resolves: CVE-2022-3094
It got broken as part of bug #2101712 fix. Introduced new definition,
which passes during bind build, but breaks bind-dyndb-ldap build.
Resolves: rhbz#2162795
There where a number of places where the zone table should have
been locked, but wasn't, when dns_zt_apply was called.
Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
all calls to using it. Removed locks in callers.
Backported and modified upstream commit e5068a7e24d7ace5ed7e8fdd3ff789dcc4c10fe8
Resolves: rhbz#2101712
5960. [security] Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query.
(CVE-2022-3080) [GL #3517]
Resolves: CVE-2022-3080
- Check that an NS in an authority section returned from a forwarder
which is above the name in a configured "forward first" or "forward
only" zone (i.e., net/NS in a response from a forwarder configured for
local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
not cached (this was already working correctly, but was not explicitly
tested before).
Related: CVE-2021-25220
5817. [security] The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside
the configured bailiwick. (CVE-2021-25220) [GL #2950]
Resolves: CVE-2021-25220
5818. [security] A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the
CLOSE_WAIT state blocking indefinitely when
out-of-order processing was disabled. (CVE-2022-0396)
[GL #3112]
Resolves: CVE-2022-0396
BIND reads default system port ranges from /proc file. Propagate just
that single file to bind chroot. Defaults should be therefore the same
as on named.service.
Resolves: rhbz#2013595
Previously, named would run with a configuration where *-source-v6 (notify-source-v6,
transfer-source-v6 and query-source-v6) address and port could be simultaneously used
for listening. This is no longer true for BIND 9.16+ and the code that would do
interface adjustments would unexpectedly disable listening on TCP for such interfaces.
Resolves: rhbz#1999691