Prevent assertion failure if DNS64 and serve-stale is used
Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. 6317. [security] Restore DNS64 state when handling a serve-stale timeout. (CVE-2023-5679) [GL #4334] Resolves: RHEL-25370 ; Resolves: CVE-2023-5679
This commit is contained in:
parent
b734ab50d3
commit
3fb3b2d2bd
37
bind-9.16-CVE-2023-5679.patch
Normal file
37
bind-9.16-CVE-2023-5679.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Mon, 12 Feb 2024 20:41:43 +0100
|
||||||
|
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used
|
||||||
|
|
||||||
|
Enabling both DNS64 and serve-stale may cause an assertion failure
|
||||||
|
during recursive resolution.
|
||||||
|
|
||||||
|
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
|
||||||
|
(CVE-2023-5679) [GL #4334]
|
||||||
|
|
||||||
|
Resolves: CVE-2023-5679
|
||||||
|
---
|
||||||
|
lib/ns/query.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||||
|
index cc1d179..1993800 100644
|
||||||
|
--- a/lib/ns/query.c
|
||||||
|
+++ b/lib/ns/query.c
|
||||||
|
@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
|
||||||
|
query_ctx_t qctx;
|
||||||
|
|
||||||
|
qctx_init(client, NULL, client->query.qtype, &qctx);
|
||||||
|
+ if (DNS64(client)) {
|
||||||
|
+ qctx.qtype = qctx.type = dns_rdatatype_a;
|
||||||
|
+ qctx.dns64 = true;
|
||||||
|
+ }
|
||||||
|
+ if (DNS64EXCLUDE(client)) {
|
||||||
|
+ qctx.dns64_exclude = true;
|
||||||
|
+ }
|
||||||
|
dns_db_attach(client->view->cachedb, &qctx.db);
|
||||||
|
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
|
||||||
|
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -131,6 +131,7 @@ Patch188: bind-9.16-CVE-2023-2828.patch
|
|||||||
Patch189: bind-9.16-CVE-2023-3341.patch
|
Patch189: bind-9.16-CVE-2023-3341.patch
|
||||||
Patch194: bind-9.16-CVE-2023-4408.patch
|
Patch194: bind-9.16-CVE-2023-4408.patch
|
||||||
Patch195: bind-9.16-CVE-2023-5517.patch
|
Patch195: bind-9.16-CVE-2023-5517.patch
|
||||||
|
Patch196: bind-9.16-CVE-2023-5679.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -446,6 +447,7 @@ in HTML and PDF format.
|
|||||||
%patch189 -p1 -b .CVE-2023-3341
|
%patch189 -p1 -b .CVE-2023-3341
|
||||||
%patch194 -p1 -b .CVE-2023-4408
|
%patch194 -p1 -b .CVE-2023-4408
|
||||||
%patch195 -p1 -b .CVE-2023-5517
|
%patch195 -p1 -b .CVE-2023-5517
|
||||||
|
%patch196 -p1 -b .CVE-2023-5679
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
%patch135 -p1 -b .config-pkcs11
|
%patch135 -p1 -b .config-pkcs11
|
||||||
@ -1169,6 +1171,7 @@ fi;
|
|||||||
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
|
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
|
||||||
- Prevent assertion failure when nxdomain-redirect is used with
|
- Prevent assertion failure when nxdomain-redirect is used with
|
||||||
RFC 1918 reverse zones (CVE-2023-5517)
|
RFC 1918 reverse zones (CVE-2023-5517)
|
||||||
|
- Prevent assertion failure if DNS64 and serve-stale is used (CVE-2023-5679)
|
||||||
|
|
||||||
* Wed Sep 20 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.16
|
* Wed Sep 20 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.16
|
||||||
- Limit the amount of recursion possible in control channel (CVE-2023-3341)
|
- Limit the amount of recursion possible in control channel (CVE-2023-3341)
|
||||||
|
Loading…
Reference in New Issue
Block a user